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(54) Secure gateway and method for communication between networks 



(57) An apparatus and method for providing a se- 
cure firewail between a private network ( 1 0) and a public 
network (12) are disclosed. The apparatus is a gateway 
station (14) having an operating system that is modified 
to disable communications packet forwarding, and fur- 
ther modified to process any communications packet 
having a network encapsulation address which matches 
the device address of the gateway station. The method 
includes enabling the gateway station to transparently 
initiate a first communications session with a client on a 
first network requesting a network service from a host 
on a second network, and a second independent com- 
munications session with the network host to which the 
client request was addressed. The data portion of com- 
munications packets from the first session are passed 
to the second session, and vice versa, by application 
level proxies which are passed the communications 
packets by the modified operating system. Data sensi- 
tivity screening is preferably performed on the data to 
ensure security. Only communications enabled by a se- 
curity administrator are permitted. The advantage is a 
transparent firewall with application level security and 
data screening capability. 
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D scription 

TECHNICAL FIELD 

5 This application relates generally to internetwork communications and data exchanges and, in particular to secure 

gateways which serve as firewalls between computer networks to inhibit electronic vandalism and espionage. 

BACKGROUND OF THE INVENTION 

10 As computing power and computer memory have been miniaturized and become more affordable, computer net- 

works have largely displaced mainframe and minicomputer technology as a business automation platform. Public in- 
formation networks have also sprung up around the world. The largest and most pervasive public network is the Internet 
which was created in the late 1960s as a United States Department of National Defence project to build a network 
connecting various military sites and educational research centers. While the interconnection of private networks with 

is public networks such as the Internet may provide business opportunities and access to vital information, connecting 
a private, secure network to a public network is hazardous unless some form of secure gateway is installed between 
the two networks to serve as a "firewall". 

Public networks, as their name implies, are accessible to anyone with compatible hardware and software. Conse- 
quently, public networks attract vandals as well as amateurs and professionals involved in industrial espionage. Private 

20 networks invariably store trade secret and confidential information which must be protected from exposure to unau- 
thorized examination, contamination, destruction or retrieval. Any private network connected to a public network is 
vulnerable to such hazards unless the networks are interconnected through a secure gateway which prevents unau- 
thorized access Irom the public network. 

A great deal of effort has been dedicated to developing secure gateways for internetwork connection. As noted 

25 above, these gateways are commonly referred to as firewalls. The term firewall is broadly used to describe practically 
any internetwork security scheme. Firewalls are generally developed on one or more of three models: the screening 
router, the bastion host and the dual homed gateway. These models may be briefly defined as: 

Screening router - Screening routers typically have the ability to block traffic between networks or specific hosts 
on an IP port level. Screening routers can be specially configured commercial routers or host-based packet filtering 

oo applications. Screening routers are a basic component of many firewalls. Some firewalls consist exclusively of a screen- 
ing router or a packet filter. 

Bastion host - Bastion hosts are host systems positioned between a private network and a public network which 
have particular attention paid to their security. They may run special security applications, undergo regular audits, and 
include special features such as "sucker traps" to detect and identify would-be intruders. 

35 Dual homed gateway - A dual homed gateway is a bastion host with a modified operating system in which TCP/IP 

forwarding has been disabled. Therefore, direct traffic between the private network and the public network is blocked. 
The private network can communicate with the gateway, as can the public network but the private network cannot 
communicate with the public network except via the public side of the dual homed gateway. Application level or "proxy" 
gateways are often used to enhance the functionality of dual homed gateways. Much of the protocol level software on 

40 networks operates in a store-and-forward mode. Prior art application level gateways are service-specific store-and- 
forward programs which commonly operate in user mode instead of at the protocol level. 

All of the internetwork gateways known to date suffer from certain disadvantages which compromise their security 
or inconvenience users. Most known internetwork gateways are also potentially susceptible to intruders if improperly 
used or configured. 

•*s The only firewall for many network installations is a screening router which is positioned between the private net- 

work and the public network. The screening router is designed to permit communications only through certain prede- 
signated ports. Many network services are offered on specific designated ports. Generally, screening routers are con- 
figured to permit all outbound traffic from the private network while restricting inbound traffic to those certain specific 
ports allocated to certain network services. A principal weakness of screening routers is that the router's administrative 

50 password may be compromised. If an intruder is capable of communicating directly with the router, the intruder can 
very easily open the entire private network to attack by disabling the screening algorithms. Unfortunately this is ex- 
tremely difficult to detect and may go completely unnoted untii serious damage has resulted. Screening routers are 
also subject to permitting vandalism by "piggybacked" protocols which permit intruders to achieve a higher level of 
access than was intended to be permitted. 

55 Packet filters are a more sophisticated type of screening that operates on the protocol level. Packet filters are 

generally host-based applications which permit certain communications over predefined ports. Packet Miters may have 
associated rule bases and operate on the principle of "that which is not expressly permitted is prohibited". Public 
networks such as the Internet operate in TCP/IP protocol. A UNIX operating system running TCP/IP has a capacity ot 
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64K communication ports. It is therefore generally considered impractical to construct and maintain a comprehensive 
rule base for a packet filter application. Besides, packet filtering is implemented using the simple Internet Protocol (IP) 
packet filtering mechanisms which are not regarded as being robust enough to permit the implementation of an ade- 
quate level of protection. The principal drawback of packet filters is that they are executed by the operating system 
5 kernel and there is a limited capacity at that level to perform screening functions. As noted above : protocols may be 
piggybacked to either bypass or fool packet filtering mechanisms and may permit skilled intruders to-access the private 
network. 

The dual homed gateway is an often used and easy to implement alternative. Since the dual homed gateway does 
not forward TCP/IP traffic, it completely blocks communication between the public and private networks. The ease of 

w use of a dual homed gateway depends upon how it is implemented. It may be implemented by giving users logins to 
the public side of the gateway host, or by providing application gateways, for specific services. If users are permitted 
to log on to the gateway, the firewall security is seriously weakened because the risk of an intrusion increases sub- 
stantially, perhaps exponentially, with each user login due to the fact that logins are a vulnerable part of any security 
system. Logins are often compromised by a number of known methods and are the usual entry path for intruders. 

is The alternative implementation of a dual homed gateway is the provision of application gateways for specific net- 

work services. Application gateways have recently gained general acceptance as a method of implementing internet- 
work firewalls. Application gateways provide protection at the application level and the Transmission Control Protocol 
(TCP) circuit layer. They therefore permit data sensitivity checking and close loopholes left in packet filters. Firewalls 
equipped with application gateways are commonly labelled application level firewalls. These firewalls operate on the 

20 principle of "that which is not expressly permitted is prohibited". Users can only access public services for which an 
application gateway has been installed on the dual homed gateway. Although application level firewalls are secure : 
the known firewalls of this type are also inefficient. The principal disadvantage of known application level firewalls is 
that they are not transparent to the user. They generally require the user to execute time-consuming extra operations 
or to use specially adapted network service programs. For example, in an open connection to the Internet, a user can 

25 Telnet directly to any host on the Internet by issuing the following command: 
Telnet target. machine 

However if the user is behind an application level firewall, the following command must be issued: 
Telnet firewall 

After the user has established a connection with the firewall, the user will optionally enter a user ID and a password 
30 if the firewall requires authentication. Subsequent to authentication: the user must request that the firewall connect to 
the final Telnet target machine. This problem is the result of the way in which the UNIX operating system handles IP 
packets. A standard TCP/IP device will only accept and attempt to process IP packets addressed to itself. Consequently, 
if a user behind an application firewall issues the command: 
Telnet target. machine 

35 an IP packet will be generated by the user workstation that is encapsulated with the device address of the firewall but 
with an IP destination address of the target. machine. This packet will not be processed by the firewall station and will 
therefore be discarded because IP packet forwarding has been disabled in the application level firewall. 

Known application level firewalls also suffer from the disadvantage that to date application interfaces have been 
required for each public network service. The known application level firewalls will not support "global service" or 
applications using "dynamic port allocations" assigned in real time by communicating systems. 

Users on private networks having an application level firewall interface therefore frequently install "back doors" to 
the public network in order to run services for which applications have not been installed, or to avoid the inconvenience 
of the application gateways. These back doors provide an unscreened, unprotected security hole in the private network 
which renders that network as vulnerable as if there were no firewall at all. 

45 

SUMMARY OF THE INVENTION 

It is an object of the invention to provide an internetwork security gateway which overcomes the known disadvan- 
tages of prior art internetwork security gateways. 
so it is a further object of the invention to provide an internetwork security gateway which provides application proxy 

flexibility, security and control while permitting users to transparently access public network services. 

It is a further object of the invention to provide an internetwork security gateway which supports any currently 
offered or future network service. 

It is yet a further object of the invention to provide an internetwork security gateway which supports applications 
55 using port numbers that are dynamically assigned in real time by the communicating systems. 

It is yet a further object of the invention to provide an internetwork security gateway which listens to all communi- 
cations ports in order to detect any attempted intrusion into a protected network, regardless of the intruder's point of 
attack. 
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In accordance wilh a first aspect of the invention there is disclosed a method of providing a secure gateway between 
a private network and a potentially hostile network, comprising the steps of: 

a) accepting from either network all communications packets that are encapsulated with a hardware destination 
5 address that matches the device address of the gateway; 

b) determining whether there is a process bound to a destination port number of an accepted communications 
packet: 

c) establishing a first communications session with a source address/source port of the accepted communications 
packet if there is a process bound to the destination port number else dropping the packet: 

io d) establishing a second communications session with a destination address/destination port number of the 

accepted communications packet if a first communications session is established: and 

e) transparently moving data associated with each subsequent communications packet between the respective 
first and second communications sessions, whereby the first session communicates with the source and the second 
session communicates with the destination using the data moved between the first and second sessions. 

15 

In accordance with a further aspect of the invention there is disclosed an apparatus for providing a secure gateway 
for data exchanges between a private network and a potentially hostile network, comprising in combination: 

a gateway station adapted for connection to a telecommunications connection with each of the private network 
20 and the potentially hostile network: 

an operating system executable by the gateway station, a kernel of the operating system having been modified 
so that the operating system: 

a) cannot forward any communications packet from the private network to the potentially hostile network or 
25 from the potentially hostile network to the private network; and 

b) will accept for processing any communications packet from either of the private network and the potentially 
hostile network provided that the packet is encapsulated with a hardware destination address that matches 
the device address of the gateway station on the respective networks: and 

oo at least one proxy process executable by the gateway station, the proxy process being adapted to transparently 

initiate a first communications session with a source of an initial data packet accepted by the operating system 
and to transparently initiate a second communications session with a destination of the packet, and to transparently 
pass a data portion of packets received by the first communications session to the second communications session 
and to pass the data portion of packets received by the second communications session to the first communications 

35 session, whereby the first session communicates with the source using data from the second session and the 

second session communicates with the destination using data received from the first session. 

The invention therefore provides a method and an apparatus which permits a private network to be securely in- 
terconnected with a public or a potentially hostile network. 

JO The method in accordance with the invention involves protecting a private network interconnected with a potentially 

hostile network whereby a gateway between the two networks transparently imitates a host when a communication 
data packet is received from a client on one of the networks by initiating a communication session with the client. If 
the client is determined to have access rights to the requested service, the gateway station imitates the client to the 
host on the other network by initiating a communications session with the host. Thereafter data is passed between 

45 the client session and the host session by a process which coordinates communications between the two distinct, 
interdependent communications sessions which proceed between the client and the gateway station and the host and 
the gateway station. 

For instance, using a gateway station in accordance with the invention as an internetwork interface, a user on the 
private network can issue the command: 
50 telnet publictarget. machine 

and the command will appear to the user to be executed as if no gateway existed between the networks so long as 
the user is permitted by the rule bases maintained by the private network security administrator to access the public- 
target machine. 

In order to achieve transparency of operation, the gateway station is modified to accept for processing all IP packets 
55 encapsulated in a network operating system capsule (e.g. an ethernet capsule) having a destination address which 
matches the device address of the gateway station, regardless of the destination address of the IP packet. This mod- 
ification permits the gateway station to provide transparent service to users on either network, provided the users are 
authorized for the service. Furthermore, the gateway station in accordance with the invention runs a novel generic 
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proxy which permits it to listen to all of the 64K communications ports accommodated by the UNIX operating system 
which are not served by a dedicated proxy process. As is well known to those skilled in the art, certain internetwork 
services have been assigned specific ports for communication. Most of the designated ports on the Internet are those 
port numbers in the range of 0-1 K (1,024). Other applications and services use port numbers in the range of 1K to 

5 64K. As noted above, the gateway station in accordance with the invention "listens" to all 64K ports. The generic proxy 
process which is executed by the gateway station responds to any request for service that is not served by a dedicated 
proxy process, regardless of the destination port number to which the request for service is made. Every request for 
service may therefore be responded to. When an intruder attacks a private network, the intruder must attempt to access 
the network through the gateway station. Most firewalls listen to only a limited subset of the available communications 

w ports. An intruder can therefore probe unattended areas of the firewall without detection. The gateway station in ac- 
cordance with the invention will, however, detect a probe on any port and may be configured to set an alarm condition 
if repeated probes are attempted. The gateway station in accordance with the invention can also be configured to 
perform data sensitivity screening because all communications packets are delivered by the kernel to the application 
level where the data portion of each packet is passed from one in progress communications session to the other. Data 

is sensitivity screening permits the detection of sophisticated intrusion techniques such as piggybacked protocols, and 
the like. 

The apparatus in accordance with the invention is modeled on the concept of a bastion host, preferably configured 
as a dual home firewall. The apparatus in accordance with the invention may also be configured as a multiple-home 
firewall, a single-home firewall or a screened subnet. Regardless of the configurator the apparatus preferably com- 

20 prises a UNIX station which executes a modified operating system in which IP packet forwarding is disabled. The 
apparatus in accordance with the invention will not forward any IP packet, process I CMP direct messages nor process 
any source routing packet between the potentially hostile network and the private network. Without IP packet forward- 
ing, direct communication between the potentially hostile network and the private network are disabled. This is a com- 
mon arrangement for application level firewalls. The apparatus in accordance with the invention is, however, configured 

25 to provide a transparent interface between the interconnected networks so that clients on either network can run stand- 
ard network service applications transparently without extra procedures, or modifications to accomplish communica- 
tions across the secure gateway. This maximizes user satisfaction and minimizes the risk of a client establishing a 
"back door" to a potentially hostile network. 

The methods and the apparatus in accordance with the invention therefore provide a novel communications gate- 

30 way for interconnecting private and public networks which permit users to make maximum use of public services while 
providing a tool for maintaining an impeccable level of security for the private network. 

BRIEF DESCRIPTION OF THE DRAWINGS 

35 A preferred embodiment of the invention will now be further explained by way of example only and with reference 

to the following drawings, wherein: 

FIG. 1 is a schematic diagram of a preferred configuration for an apparatus in accordance with the invention for 
providing a secure gateway for data exchanges between a private network and a potentially hostile network; 
40 FIG. 2 is a schematic diagram of an IP header, a TCP and a UDP header in accordance with standard TCP/IP 

format; 

FIG. 3 is a schematic diagram of ethernet encapsulation in accordance with RFC 894: 

FIG. 4 is a schematic diagram of a communications flow path between a gateway station in accordance with the 
invention, a client on a private network and a host on a public network; 
45 FIG. 5 is a flow diagram of a general overview of TCP routing by the kernel of a UNIX station in accordance with 

the prior art: 

FIG. 6 is a flow diagram of a general overview of TCP routing by a modified UNIX kernel in accordance with the 
invention; 

FIG. 7a is a first portion of a flow diagram of a general overview of the implementation of the invention at the 
50 application level of a gateway station; and 

FIG. 7b is a second portion of the flow diagram shown in FIG. 7a. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

55 Most UNIX hosts communicate using TCP/IP protocol. The preferred embodiment of the invention is therefore 

constructed from a UNIX station having a UNIX operating system. While the preferred embodiment of the invention 
described below is explained with particular reference to the UNIX environment, it is to be well understood by those 
skilled in the art that the principles, concepts and methods described may be readily adapted to function with other 
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internetwork communication protocols in other operating environments. 

FIG. 1 shows a schematic diagram of a private network 10, considered a secure network, connected to a public 
network 12, considered a potentially hostile network, through a gateway station 14 in accordance with the invention. 
In this configuration, the gateway station 14 is configured as a dual homed bastion host which provides a secure 

s interface between the private network 10 and the public network 12. 

The private network 1 0 includes a multiplicity of users 1 6 : commonly referred to as clients, and one or more servers 
such as the name, mail and news server 1 8. The public network 1 2 may be, for example, the Internet which comprises 
hundreds of thousands of interconnected machines. The connection between the private network 10 and the public 
network 1 2 passes through a router 20 that relays packets over a communications line 22 which may be an ISDN, 56K 

10 level BPS, T1 or a dial up connection depending on the private network's arrangement with a public network service 
provider. All of the private network 10 on the private side of the gateway station 14 is unavailable to the public and is 
not advertised on the public network 12. The gateway station 14 does not broadcast any routes to the public network 
1 2 and the gateway router 20 should not have any static routes defined for the private network 1 0. The private network 
10 is therefore "routing invisible" to the public network 12. The hosts in the private network 10 can use private network 

15 addresses as defined in RFC-1597. 

As can be seen in FIG. 1, the gateway station has one device address for its communications connection with the 
private network 10 and another device address for its communications connection with the public network 12. The 
device address on the public side of the gateway station 14 must be advertised on the public network 12. The private 
network 10 may also include one or more public servers 24 which may be accessed directly from the public network 

20 12. The public servers 24 must have addresses which are registered and published on the public network 12. The 
private network 1 0 can only access the public servers 24 through the gateway station 1 4. The public server 24 is treated 
like any other server on the public network 12 when a user 16 initiates communication from the private network 10. 

The gateway station 14 is preferably a UNIX station, well known in the art. The kernel of the operating system of 
the gateway station 14 is modified to disable all IP forwarding, source routing and IP redirecting functions. It is therefore 

25 impossible to have communication data packets flow directly through the gateway station 14. As will be explained 
below in some detail, these functions have been replaced with processes which ensure that all communications data 
packets from the private network 10 to the public network 12, or vice versa, are properly authenticated. 

Public network communications are typically in TCP/IP format. FIG. 2 shows a schematic diagram of an IP header 
26, a TCP header 28 and a UDP (User Datagram Protocol) header 30. Each IP header includes a 32-bit source IP 

oo address 32 and a 32-bit destination IP address 34. Each TCP header and each UDP header include a 16-bit source 
port number 36 and a 16-bit destination port number 38. Each communication data packet therefore includes a source 
address/source port number and a destination address/destination port number, in accordance with this communica- 
tions protocol which is well known in the art. In addition to the TCP/IP communications protocol, local area networks 
often operate using ethernet network control software which handles intranetwork communications. In accordance with 

35 ethernet protocol, TCP/IP packets are encapsulated with an ethernet encapsulation packet to facilitate routing and 
ensure error free transmission. 

FIG. 3 shows a schematic diagram of an ethernet encapsulation packet in accordance with RFC 894. Each en- 
capsulation includes an ethernet destination address 40, an ethernet source address 42 and a check sum 44 for facil- 
itating error detection and correction. 

40 FIG. 4 illustrates schematically a typical communications session between a client station 1 6 on the private network 

1 0 and a public host 46 on the public network 1 2. All communications between the networks are handled by the gateway 
station 1 4. When a client 1 6 wishes to communicate with the public network 1 2 ; such as in accessing a public host 46, 
the client 16 issues a network command as if the client were not behind a firewall. For instance, client 16 may issue 
the command: 

45 Telnet Target. Machine 

The private network 10 is configured so that all packets directed to the public network 12 are encapsulated with the 
ethernet destination address ( 1 92. 1 68.77. 1 ) of the gateway station 1 4. A TCP/LP packet encapsulated with the ethernet 
destination address of the gateway station 14 is therefore dispatched by the client 16. A normally configured UNIX 
device will not accept for processing TCP/IP packets which do not have an IP destination address equal to its own IP 

50 address. The kernel of the operating system of the gateway station 14 is modified so that the gateway station 14 will 
accept for processing any TCP/IP packet having an encapsulation destination address 40 that matches the device 
address of the gateway station 14. When the gateway station 14 receives the client packet containing the Telnet com- 
mand, a process is initiated on the gateway station 14 which responds to the client 16 to establish a communication 
session 17 as if it were the target machine. As will be explained below in detail, the process then authenticates the 

55 client's authorization to access the requested service and if the client 16 is determined to have the required authori- 
zation, the gateway station 14 initiates a second communications process 19 with the remote host 46 in which the 
gateway station 14 simulates the client 16 without revealing the client address. Once the two communication sessions 
1 7, 1 9 are operative, communication is effected between the client 1 6 and the host 46 by passing communication data 
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between the two interdependent communication sessions. This is accomplished by a process that operates at the 
application level on the gateway station 14, as will be explained in detail below. The process accepts communication 
packets passed from the IP layer of the gateway station 14 by the modified operating system kernel, extracts the data 
from the packets and passes the data to the appropriate interdependent communications session. Data sensitivity 

5 checking is preferably performed before packet data is released to the appropriate interdependent communications 
session. Data sensitivity checking can prevent protocol piggybacking and other sophisticated intrusion techniques. 
Data sensitivity checking is performed using application level algorithms, some of which are well known in the art, but 
new algorithms are still being developed. All of this processing is completely transparent to client 16 because all com- 
munications appear to be direct to host 46. Host 46 likewise cannot detect that communications with client 16 are not 

w direct. 

FIG. 5 shows a general overview of the way in which a prior art UNIX operating system kernel handles data 
communication packets. In a first step 48. a data packet is received by a UNIX workstation (not illustrated). The en- 
capsulation address (typically an ethernet encapsulation destination address 40 : see FIG. 3) is checked to determine 
whether it matches a device address of the station in step 50. If the addresses do not match : the packet is dropped in 

15 step 52. If the addresses match, the IP destination address 34 (see FIG. 2) is examined to determine whether it matches 
an IP address of the station in step 54. If a match is found, the destination port is examined in step 56 to determine 
whether there is a process bound to a communications port indicated as the destination port by a TCP or UDP portion 
of the packet that indicates the destination port number 38 (see FIG. 2). If no process is bound to the destination port, 
the packet is dropped in step 58. Otherwise, the-kernel starts a TCP or a UDP session with the IP source in step 59, 

20 and delivers the packet to the bound process in step 60. Thereafter, the packet is processed by the process bound to 
the destination port in step 61 , in a manner well known in the art. If the IP destination address does not match any IP 
address for the station, the kernel attempts to forward the packet in step 62 by consulting routing tables in a process 
which is also well understood by those skilled in the art. 

FIG. 6 is a flow diagram of a general overview of packet processing by a UNIX operating system kernel modified 

25 jn accordance with the invention. In order to understand the process completely, it is important to understand that the 
gateway station 14 (see FIG. 1) is configured by a systems administrator using configuration programs supplied with 
the gateway station 1 4. When the gateway station 1 4 is initialized, a system configuration file is examined to determine 
what network services are to be supported by the gateway station 14. In order to maximize performance efficiency of 
. the gateway station 1 4, commonly used services are supported by processes adapted to most efficiently handle com* 

oo munications for each respective service. These processes are called "proxies". On system initialization, any proxy 
given operating rights by the system administrator is said to "bind" to the port to which the proxy has been assigned. 
Thereafter, the process is said to be "bound" to the port. In accordance with the invention, the gateway station 14 is 
also supplied with a generic proxy that is assigned to port 5981 3. This port assignment is an arbitrary assignment and 
another port number may be used. When the gateway station 14 is initialized, the generic proxy binds to port 59813, 

35 provided that the systems administrator has given it operating rights to do so. 

With reference again to FIG. 6, the modified kernel receives a packet in step 64 in the same manner as an un- 
modified prior art kernel. The packet is examined to determine whether the encapsulation destination address 40 (see 
FIG. 3) equals the device address of the gateway station 14 in step 66. If no match is found, the packet is dropped in 
step 68. If the encapsulation destination address 40 equals the device address of the gateway station 1 4, the destination 

40 port of the TCP or UDP portion of the packet is examined to determine the destination port number 38 (see FIG. 2) 
and whether there is a process bound to that destination port in step 70. The IP destination address 34 of the packet 
is ignored while making this determination. If no proxy process is bound to the destination port of the data packet, the 
kernel checks port 5981 3 to determine whether the generic proxy process is bound to that port in step 72. If the generic 
proxy process is not bound to port 59813, the packet is dropped in step 74. If it is determined that a proxy process is 

45 bound to a port which can serve the destination port number 36 in either of steps 70 or 72, a session (TCP or UDP) is 
initiated with the packet source IP address 32 in step 76 and in step 78, the packet is delivered by the kernel to the 
proxy process designated in steps 70, 72. This critical modification of the operating system kernel permits the kernel, 
within the permission boundaries imposed by a systems administrator to "listen" to all 64K ports available for commu- 
nication. Appendix A attached hereto is a printed listing of the modified source code in the kernel. 

50 FIGs. 7a and 7b show a flow diagram of a general overview of processing at the application or proxy level of 

operations on the gateway station 14 in accordance with the invention. While this general overview shows a simple 
single user process, it will be understood by those skilled in the art that all proxies in accordance with the invention 
are multi-tasking proxies which can service a plurality of users simultaneously by creating "sockets" for multi-task 
organization in a manner well understood in the art. 

55 in step 80 of FIG. 7a, the proxy is initialized. The proxy may be any one of a number of proxies. As noted above, 

in order to maximize the performance of a gateway station 14, certain customized proxies handle certain services. In 
particular the preferred embodiment of the invention includes at least the following customized proxies: 
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proxy - Telnet (port 23) 

proxy - FTP (port 21) 

proxy - Gopher (port 70) 

proxy - TCP (port xxx or port 5981 3) 

UDP - relay (port xxx or port 59813) 



These custom proxies are adapted to most efficiently handle the services with which they are associated. Other 
custom proxies can, of course : be added to the proxy processes which are bound to ports on the gateway station 14. 
If a data packet has a destination port number 38 that is determined to point to a port to which a custom proxy process 

10 is bound, the packet is passed by the kernel to that custom proxy process in step 82 where the custom proxy process 
waits for packets to arrive on the port to which it is bound, represented by "port xxx n in the diagram. As explained above 
with relation to FIG. 6, if the destination port number 38 of a data packet does not point to a port to which a custom 
proxy process is bound, the packet is delivered by the kernel to port 59313. Proxy 59813 is the generic proxy process 
which is designated to handle any request for service for which a customized proxy process does not exist. Although 

'5 the generic proxy process is literally bound to a specific port, such as port 5981 3 : in combination with the modified 
kernel it is operationally bound to every port to which a custom proxy process is not bound. Thus a versatile gateway 
station 14 which can handle any TCP/IP communications session is provided. 

When the packet is passed by the kernel in step 82 to a bound proxy process, the proxy process determines 
whether the source IP address 32 is permitted to communicate with the destination IP address in step 64. This is 

20 accomplished by reference to a rule base maintained by a systems administrator of the private network. Rule bases 
are well understood in the art and their structure is common general knowledge. Preferably, the rule base in accordance 
with the preferred embodiment of the invention includes a minimum of the following elements in the rule set to determine 
authorization: 

25 |p source address 



If the IP source address 32 is determined in step 84 not to be authorized for the requested service, the gateway 
station 14 drops the communication session in step 85. Otherwise, the proxy determines whether user level authenti- 
cation is required in step 88. User level authentication is also under the control of the systems administrator. For 
example, the systems administrator may not require any authentication of users on the private network on the theory 

35 that the private network is only accessible to secure individuals. On the other hand, the systems administrator has the 
option of requiring user level authentication for all users or any selected user. Even if user level authentication is 
required, in accordance with the preferred embodiment of the invention a user can authenticate and enable transparent 
mode wherein authentication need not be repeated for subsequent sessions for as long as authentication is maintained, 
as will be explained below in more detail. 

40 if user level authentication is determined to be required in step 88, the proxy process authenticates the user in 

step 90. Authentication is preferably accomplished by requiring the user to enter an identification code and a password 
in a manner well known in the art. The identification code and the password entered are verified in a user authentication 
data base (not illustrated), the structure and operation of which are also well known in the art. In step 92, the gateway 
station 14 determines whether the user has authenticated by referencing the user authentication data base. If the user 

45 is not successfully authenticated, the session is dropped in step 94. If it is determined that no authentication is required 
in step 38, or if the user successfully authenticates in step 92, the IP destination address 34 of the packet is examined 
to determine if it is an IP address of the gateway station 1 4 in step 96 (see FIG. 7b). Step 96 is preferably only executed 
by the custom proxies for Telnet, FTP and Gopher, as will be explained below in detail. If the IP destination address 
34 of the packet corresponds to an IP address of the gateway station 14, the gateway station starts a session to permit 

so the user to enable or disable transparent mode in step 98, as will also be explained below. In step 100, the proxy 
process waits for communication packets to arrive on the port "xxx", which is the port on which the communications 
session was initiated, where it is delivered by the modified kernel. When a communications packet arrives, it is proc- 
essed by the proxy process to permit the IP source to enable or disable transparent mode in step 101 . Thereafter, the 
proxy process determines in step 102 whether the session has ended and if not it returns to step 100 to wait for a data 

55 packet to arrive on the port. Otherwise it returns to step 80 (see FIG. 7a) to initialize for a new session. If the IP 
destination address 34 of the packet does not match an IP address of the gateway station 14, a second communication 
session is established in step 104. The second communication session is established between the gateway station 14 
and the IP destination address 34/TCP destination port number 36 indicated by the packet. The second communication 



IP destination address 

Service required (Telnet, Archie, Gopher, WAIS, etc.) 

User ID 

Password 
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session eslablished in step 104 is established exclusively by the proxy process, all operations being completely trans- 
parent to the IP source. Once the second communications session is established, the proxy process waits for data 
packets from each session in step 1 06. The data packets are delivered by the kernel to the proxy process which relays 
the data portion of each packet from one session to the other so that the two interdependent sessions appear to the 

5 IP source and to the IP destination to be one direct session between a client source and a host destination. Data 
sensitivity checking may be accomplished by the proxy process before relaying the data from one session to the other. 
Data sensitivity checks ensure that the gateway station 14 provides a very secure interface that is, for all practical 
purposes, impossible for intruders to breach. 

Thus a completely transparent firewall is provided which permits a security administrator to exercise potent control 

10 over the access to the private network. In step 108, the proxy process checks to determine whether either of the 
sessions is terminated. If either session terminates, the other session is likewise terminated and the proxy process 
returns to step 80 for initialization. The custom proxy processes in accordance with the invention are public domain 
proxy processes which have been modified to cooperate with the kernel in accordance with the methodsof the invention. 
Appendix B attached hereto is a printed listing of the modifications made to the public domain proxies for the Telnet 

is proxy and the FTP proxy. The principles illustrated may be applied by a person skilled in the art to any public domain 
or proprietary proxy process. 

One of the significant features of the invention is the fact that the proxy process which executes in accordance 
with the flow diagram shown in FIG. 7 may be the generic proxy process, which can handle any request for service for 
which a customized proxy process does not exist. The generic proxy process in accordance with the invention is a 

20 proprietary TCP proxy. A complete source code listing of the proxy TCP is attached hereto as Appendix D. As explained 
above, in the preferred embodiment of the invention, the generic proxy process is bound to port 5981 3 : but the specific 
port to which the proxy process is bound is substantially immaterial. The generic proxy process increases many fold 
the versatility of gateway station 1 4 and permits the gateway station to handle any communications session, including 
sessions which use port numbers dynamically allocated in real time by the communicating systems. It also provides a 

25 secure gateway which is adapted to support, without modification, new service offerings on the public network 12. If a 
new service offering becomes a popular service for which there is demand, a customized proxy can be written for that 
service. During development and testing of the customized proxy, however, the new service can be supported by the 
generic proxy process. Thus a versatile, secure internetwork gateway is provided which supports any known or future 
service available on a public network. 

oo The gateway is completely transparent to users in all instances except when a user authentication is requested. 

In that instance, users may be authorized to enter authentication requests to enable a transparent mode of operation 
wherein subsequent sessions require no further authentication, and the gateway station 14 is completely transparent 
to the user. In accordance with the preferred embodiment of the invention, transparent mode can be enabled using a 
Telnet session, an FTP session or a Gopher session. To enable transparent mode using the Telnet program, a Telnet 

35 session is started with gateway station 14 as follows: 

your-host% telnet gatewaystation.company.com 

Trying 198.53.54.2 

Connected to gatewaystation.company.com 
40 Escape character is ' A ]' 

gatewaystation proxy-telnet ready: 

Username: You 

Password: xxxxxxx 

Login Accepted 
45 proxy-telnet> enable 

proxy-telnet> quit 

Disconnecting 

Connection closed by foreign host. 
your-host% 

50 

A user may also authenticate and enable transparent mode using the FTP program as follows: 

your-host% FTP gatewaystation.company.com 

Connected to gatewaystation.company.com 
55 220 gatewaystation proxy-FTP ready: 

Name (gatewaystation. company.com:you): You 
331 Enter authentication password for you 
Password: xxxxxxx 
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230 User authentication to proxy 
ftp > quote enable 
Transparent mode enabled 
ftp > quit 
s your-host% 

In the preferred embodiment of the invention, a proprietary Gopher proxy is enabled to automatically initiate trans- 
parent mode after the user has successfully authenticated to the gateway station 14 by entering a valid user identifi- 
cation and password: whenever a Gopher session is requested and user authentication is required. This user authen- 
10 tication capability is a novel feature for a Gopher proxy. The proprietary source code for the novel Gopher proxy is 
appended hereto as Appendix C. 

The modes for implementing transparent mode are, of course, arbitrary and may be redesigned or reassigned to 
other programs or proxies as those skilled in the art deem appropriate. Once the transparent mode is enabled, an 
authentication directory is updated by creating a file entry for the source IP address 32. The authentication files include 
is a creation time variable which is automatically set to the system time when the file is created. This creation time variable 
is used to track the time of authentication. The files also include a last modification time variable which is automatically 
updated by the system each time the file is modified. By rewriting the authentication file each time a user initiates a 
new communications session through the gateway station 1 4 the time of last use of the gateway station can be tracked. 
This authentication directory is inspected periodically and user files are deleted from the authentication directory based 
20 on any number of predetermined criteria. In accordance with the preferred embodiment, the user file is deleted from 
the authentication directory if the user has not initiated a communications session through the gateway station for a 
period of time predefined by the systems administrator. In addition, the user file may be deleted from the authentication 
directory at a predetermined time of day defined by the system administrator. It is therefore possible to have the au- 
thentication of all users of the gateway station 14 revoked at a specified time of day, such as the end of the business 
25 day. This further fortifies the security of the gateway. 

It is apparent that a novel and particularly invulnerable gateway has been invented. The gateway is efficient as 
well as secure. It will be readily apparent to those skilled in the art that modification may be made to the preferred 
embodiment described above without departing from the scope of the invention as expressed in the appended claims. 

30 
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* Copyright (c) 1982. 1986, 1988, 1993 m 
Regents of the University of California. All rights reserved. 

* Red ,ribution and use in source and binary forms, with or without 

* modification, are permitted provided that the following conditions 

* are met: ^ _ . . „ 

* 1. Redistributions of source code must retain the above copyright 
notice, this list of conditions and the following disclaimer. 

* 2 Redistributions in binary form must reproduce the above copyright 

* * notice, this list of conditions and the following disclaimer in the 
documentation and/or other materials provided with the distribution. 

* 3. All advertising materials mentioning features or use of this software 

must display the following acknowledgement: 

* This product includes software developed by the University ot 
California, Berkeley and its contributors. 

* 4. Neither the name of the University nor the names of its contributors 
15 . may bG US ed to endorse or promote products derived from this software 

* without specific prior written permission. 

* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS * AS IS'* AND 

* ANY EXPRESS OR IMPLIED WARRANTIES , INCLUDING, BUT NOT LIMITED TO - ™E 

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 

* ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS EE LIABLE 

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY , OR CONSEQUENTIAL 

* DAMAGES { INCLUDING , BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 

* OR SERVICES; LOSS OF USE, DATA, OR PROFITS ; OR BUSINESS INTERRUPTION) 

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT STRICT 

* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .. 

* SUCH DAMAGE. 

* 0 (#) ip_input.c 7.19 (Berkeley) 5/25/91 
*/ 

# include "param.h" 

30 #include "systm.h" 

#include •malloch* 

#include "mbuf.h M 

#include -domain. h" 

#include "protosw.h" 

# include "socket. h" 

i include "errno.h" 

# include "time.h" 

# include -kernel . h" 

#include M . - /net/ if .h" 
# include w .. /net/ route . h M 

-*o #include "in.h" 

tinclude ■ in_systm. h" 

# include "ip.h" 

# include -in_pcb.h M 

# inc lude " in_var . h" 

* include *ip_var.h" 
45 # include "ip_icmp.h" 

*if defined <MILKYWAY_BH) || defined (MILKYWAY_VPN) 
^include "mi lkyway/ vpn_data . h M 
# define GATEWAY 
ttendif 

so /* che following are in injproto.c for easy conf ig-dependence */ 

extern int ipf orwarding; /* act as router? */ 

extern int ipf orward_srcrt ; /* forward src-routed packets? / 
extern int ipsendredirects ; 

55 
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#ifdef GWSCREEN ■ 

extern void ( * ip_f orward_f n) P( (struct mbuf *. int) ) ; 

Kendif 

void ir forward P( (struct mbuf *, int)); 

ffifdef DEBUG 

int ipprintfs = 1; 

#endif 

extern struct domain inetdomain; 

extern struct protosw inetsw (] ; 

u_char ip_protOx[ IPPROTO_MAX J ; 

int ipqmaxlen = I FQ_MAXLEN ; 

struct in_ifaddr *in_ifaddr; 



/* first inet address ♦/ 
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We need to save the IP options in case a protocol wants to respond 
to an incoming packet over the same route if the packet got here 
using IP source routing. This allows connection establishment and 
maintenance when the remote end is on a network that is not known 
to us. 



V 
int 

static 



struct 
char 
char 
struct 
ip_srcrt ; 



ip_nhops = 0 ; 

struct ip_srcrt { , 

in_addr dst; /* final destination */ 

nop; /* one NOP to align */ 

srcopt [IPOPT_OFFSET + 1]; /* OPTVAL, OLEN and OFFSET */ 

in_addr route [MAX_IPOPTLEN/ sizeof ( struct in_addr)]; 



#ifdef GATEWAY 
extern int if_index; 
u_long *ip_if matrix; 
#endif 

/* 

* IP initialization: fill in IP protocol switch table. 

* All protocols not implemented in kernel go to raw IP protocol handler. 
*/ 

ip_init ( ) 
{ 

register struct protosw *pr; 
register int i; 

pr = pf f indproto(PF_INET. IPPR0T0_RAW, SOCK_RAW) ; 
if (pr == 0) 

panic ( " ip_init " ) ; 
for (i = 0; i < IPPROTO_MAX; i++) 

ip_protox[i] = pr - inetsw; 
for (pr = inetdomain. dom_protosw; 

pr < inetdomain. dom_protoswNPROT0SW; pr + + ) 

if (pr->pr_domain->dom_f amily == PF_INET && 

pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) 
ip_protox[pr->pr_protocol ) = pr - inetsw; 
ipq.next = ipq.prev = &ipq; 
ip_id = time. tv_sec & Oxffff; 
ipintrq . ifq_maxlen = ipqmaxlen; 
#ifdef GATEWAY 

i = (if_index +1) * (if_index +1) * sizeof (u_long) ; 
if ( (ip_if matrix = <u_long *) mallocU, M_RTABLE , M_WAITOK> ) == 0) 
panic ("no memory for ip_i fmatr ix" ) ; 

#endif 

> 

struct ip *ip_reass(); 

struct sockaddr_in ipaddr = { sizeof ( ipaddr) , AF_INET ); 
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struct route ipf orward_r t ; 

'* "ip ^-out routine. Checksum and byte swap header. If fragmented 
* try j reassemble. Process options. Pass to next level. 
V 

ipintr( ) 

register struct ip *ip; 

register struct mbuf *m; • , 

10 register struct ipq *fp; 

register struct in_ifaddr *ia; 
int hlen, s; 
struct ifnet *ifp; 



IS 



20 



25 #endif 



30 



next: 

/ * 

* Get next datagram off input queue and get IP header 

* in first mbuf. 
*/ 

s = splimp { ) ; 
IF_DEQUEUE(&ipintrq,m) ; 
splx(s) ; 
if (m == 0) 

return; 

#ifdef DIAGNOSTIC 

if (<m->m_flags & M_PKTHDR> == 0) 
panic (" ipintr no HDR W ) ; 



if p=m->m_pkthdr . rcvif ; 



/ * 

* If no IP addresses have been set yet but the interfaces 

* are receiving, can't do anything with incoming packets yet. 
*/ 

if (in_ifaddr == NULL) 

goto bad; 
ipstat. ips_total++; 
if <m->nulen < sizeof (struct ip) 

(m = m_pullup(m, sizeof (struct ip) ) ) == 0) l 
ipstat . ips_toosmall++ ; 
35 goto next; 

ip = mtod(m, struct ip *) ; 

if (ip->ip_v != IPVERSION) ( 

/* ipstat . ips_badver++; */ 
40 goco bad; 

} 

hlen = ip->ip_hl « 2; 

if (hlen < sizeof ( struct ip) ) ( /* minimum header length / 
ipstat. ips_badhlen++ ; 
goto bad; 

) 

if (hlen > m->m_len) { 

if ( (m = m_pullup(m, hlen)) = = 0) { 
ipstat. ips_badhlen++; 
goto next; 

so ip = mtod(m, struct ip *); 

if (ip->ip_sum = in_cksum(m, hlen)) { 
ipstat . ips_badsum++ ; 
goto bad; 
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/* 

* Convert fields to host representation. 
5 V 

NTOHS(ip->ip_len) ; 

if (ip->ip_len < hlen) { 

ipstat. ips_badlen++; 

goto bad; 

> 

10 NTOHS ( ip->ip_id) ; 

NTOHS (ip->ip_of f ) ; 

/* 

* Check that the amount of data in the buffers 

* is as at least much as the IP header would have us expect, 

* Trim mbufs if longer than we expect. 

* Drop packet if shorter than we expect. 
*/ 

if <m->m_pkthdr . len < ip->ip_len) ( 
ipstat. ips_tooshort++; 
goto bad; 

if (m->m_pkthdr.len > ip->ip_len) { 

if <m->m_len == m->m_pkthdr . len} { 
m->m_len = ip->ip_len; 
m->m_pkthdr . len = ip->ip_len; 

} else 

m_adj (m, ip->ip_len - m->m_pkthdr . len) ; 

25 } 
/* 

* Process options and, if not destined for us, 

* ship it on. ip_dooptions returns 1 when an 

* error was detected (causing an icmp message 

* to be sent and the original packet to be freed) . 
V 

ip_nhops =0; /* for source routed packets */ 

if (hlen > sizeof (struct ip) && ip_dooptions (m) ) 
goto next; 
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* Check our list of addresses, to see if the packet is for us. 



for (ia = in_ifaddr; ia; ia = ia->ia_next) { 
#define satosin(sa) ((struct sockaddr_in *Msa)) 

if (lA_SIN(ia) ->sin_addr .s_addr == ip->ip_dst . s_addr ) 
40 goto ours; 

if ( 

#ifdef D I RECTED_BROADC AST 

ia~>ia_ifp == m->nupkthdr . rcvif &t 

#enda - f (ia->ia_ifp->if_f lags & iff_BROADCAST) ) ( 

45 u_long t; 

if (satosin(&ia->ia__broadaddr) ->sin_addr . s_addr = = 
ip->ip_dst . s_addr) 
goto beast; 

if <ip->ip_dst.s_addr == ia->ia_netbroadcast . s_addr ) 
goto beast; 

50 /* 

* Look for all-O's host part (old broadcast addr) , 

* either for subnet or net. 
*/ 

t = ntohl (ip->ip_dst.s_addr) ; 
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) 



if (t -- ia->ia_subnet) 
goto beast; 

if (t == ia->ia_net) 
goto beast; 



#ifdef MULTICAST 

if <IN_MULTICAST(ntohl ( ip-> ip_dst . s_addr ) ) ) < 

struct in_multi *inm; 
/* #ifdef M ROUTING */ 

extern struct socket *ip_mrouter; 

if (ip_mr outer) { 



/* #endif */ 



#endif 



} 



* If we are acting as a multicast router, all 

* incoming multicast packets are passed to the 

* kernel-level multicast forwarding function. 

* The packet is returned (relatively) intact? if 

* ip_mforward( ) returns a non-zero value, the packet 

* must be discarded, else it may be accepted below. 
* 

* (The IP ident field is put in the same byte order 

* as expected when ip_mforward ( ) is called from 

* ip_output ( ) . ) 
*/ 

ip->ip__id = htons (ip->ip_id) ; 

if <ip_mforward(ip, m->m_pkthdr . rcvif , m) != 0) ( 
m_f reem(m) ; 
goto next; 

ip->ip_id = ntohs (ip->ip_id) ; 
/* 

* The process- level routing daemon needs to recexve 

* all multicast IGMP packets, whether or not this 

* host belongs to their destination groups. 
*/ 

if (ip->ip_p == IPPROTO_IGMP) 
goto ours; 



50 



/ 

* See if we belong to the destination multicast group on the 

* arrival interface. 
*/ 

IN_LOOKUP_MULTI (ip->ip_dst, m->m_pkthdr . rcvif , inm) ; 
if (inm == NULL) { 
m_f reem (m) ; 
goto next; 

} 

goto ours; 

} 

if (ip->ip_dst.S_addr == (u_long) IN AD DR — BROADCAST) 

goto beast; 
if (ip->ip_dst.s_addr == INADDR_ANY) 
goto ours; /* beast? */ 

#if defined (MILKYWAY_BH) 
/* mcr - 94/10/11 

Do not forward and simply give the packet to the upper layer 
Just to see how it goes 



#if defined (MILKYWAY_VPN) 

/» but we need to be a bit smarter for VPN */ 
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if (vpn„forward(m) ) { 

goto next; 
) else { 

goto ours; 



#endif 
#eise 



* Not for us; forward if possible and desirable. 



#ifdef 
#else 
#endif 
#endif 
beast : 

ours : 



if {ipf orwarding ==0) { 

ipstat . ips_cantf orward++ ; 
m_f reem (m) ; 

) else 

GWSCREEN 

( *ip_forward_fn) (m, 0) ; 

ip_f orward (m, 0 ) ; 

goto next; 
/* MILKYWAY_BH */ 

/* set the BCAST bit on packets destined to an IP broadcast address */ 
m->m_ flags |= M_BCAST; 



* If offset or IP_MF are set, must reassemble. 

* Otherwise, nothing need be done. 

* (We could look in the reassembly queue to see 

* if the packet was previously fragmented, 

* but it's not worth the time; just let them time out.) 
*/ 

if (ip->ip_off &~ IP_DF) { 

if <m->m_f lags & M_EXT) ( /• XXX */ 

if ((m = m__pullup(m, sizeof (struct ip) ) ) ==0) { 
ipstat . ips_toosmall++; 
goto next; 

) 

ip = mtod(m, struct ip *) ; 

) 

/* 



V 
for 



found : 



Look for queue of fragments 
of this datagram. 

(fp = ipq.next; fp != &ipq; fp = fp->next) 
if (ip->ip_id == fp->ipq_id && 

ip->ip_src . s_addr == fp->ipq_src . s_addr && 
ip->ip_cst . s_addr == fp->ipq_dst . s_addr 
ip->ip_p == fp->ipq_p) 
goto found; 

fp = 0; 



50 



* Adjust ip_len to not reflect header, 

* set ip_mff if more fragments are expected, 

* convert offset of this to bytes. 
*/ 

ip->ip_len -= hlen; 

((struct ipasfrag * ) ip) ->ipf _mf f = 0; 
if (ip->ip_off & IP_MF) 

((struct ipasfrag * ) ip) ->ipf _mf f = 1; 
ip->ip_off <<= 3; 
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/* 

* If datagram marked as having more fragments 

* or if this is not the first fragment, 

* attempt reassembly; if it succeeds, proceed. 

* / 

if (((struct ipasfrag * ) ip) ->ipf _mf f || ip->ip_off) < 
ipstat . ips_fragments++; 

ip = ip_reass ( (struct ipasfrag *)ip, fp) ; 
if (ip == 0) 

goto next; 
else 

ipstat . ips_reassembled++ ; 
m a dtom( ip) ; 

) else 

if (fp) 

15 ip_freef (fp) ; 



10 



30 



} else 



ip->ip_len -= hlen; 



/* 

* Switch out to protocol's input routine. 

20 V 

ipstat . ips_delivered++; 

(*inetsw[ip_protox[ip->ip_p) ] .pr_mput) (m, hlen) ; 
goto next; 

bad: 

m_f reem(m) ; 
„c goto next; 

) 

/* 

* Take incoming datagram fragment and try to 

* reassemble it into whole datagram. If a chain for 

* reassembly of this datagram already exists, then it 

* is given as fp; otherwise have to make a chain. 
•/ 

struct ip * 
ip_reass(ip, fp) 

register struct ipasfrag *ip; 
register struct ipq *fp; 



35 { 



40 



45 



register struct mbuf *m = dtom(ip); 

register struct ipasfrag *q; 

struct mbuf *t; 

int hlen = ip->ip_hl « 2; 

int i, next; 

/* 

* Presence of header sizes in mbufs 

* would confuse code below. 
*/ 

m->m_data += hlen; 
m->m_len -= hlen; 

/* 

* If first fragment to arrive, create a reassembly queue. 



*/ 

if (fp -- f 0) ((t _ m _get (M_DONTWAIT, MT_FTABLE) ) == NULL) 
so goto dropfrag; 

fp = mtod(t, struct ipq *); 
insque(fp, &ipq) ; 
fp->ipq_ttl = I PFRAGTTL ; 
fp->ipq_P = ip->iP-JP? 
fp->ipq_id = ip->ip_id; 
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fp->ipq_next = fp->ipq_prev = (struct ipasfrag *)fp; 
fp->ipq_src = ((struct ip * ) ip) ->ip_src; 
fp->ipq_dst = ((struct ip * ) ip) -> ip_dst; 
5 q = (struct ipasfrag *)fp; 

goto insert; 

) 

/* 

* Find a segment which begins after this one does. 

10 V 

for (q = fp->ipq_next; q 1= (struct ipasfrag *)fp; q = q->ipf_next) 
if (q->ip__off > ip->ip_off) 
break; 



15 



/* 

* If there is a preceding segment, it may provide some of 

* our data already. If so, drop the data from the incoming 

* segment. If it provides all of our data, drop us. 
*/ 

if (q->ipf_prev != (struct ipasfrag *)fp) { 

i = q->ipf_prev->ip_of f + q->ipf_prev->ip_len - ip->ip_off; 
if (i > 0) { 

20 if (i >= ip->ip_len) 

goto dropfrag; 
ro__adj (dtom( ip) , i) ; 
ip->ip_off += i; 
ip->ip_len -= i; 

) 

25 ) 
/* 

* While we overlap succeeding segments trim them or, 

* if they are completely covered, dequeue them. 
V 

while (q != (struct ipasfrag *)fp && ip->ip_off + ip->ip_len > q->ip_off 



30 



) { 



i = (ip->ip_off + ip->ip_len) - q->ip_off; 
if (i < q->ip_len) { 

q->ip_len -= i; 
q->ip_off += i; 
m_adj (dtom(q) , i) ; 
35 break; 

) 

q = q->ipf_next; 

m_f reem(dtom(q->ipf_prev) ) ; 

ip_deq(q->ipf_prev) ; 



40 

insert: 



* Stick new segment in its place; 

* check for complete reassembly. 
V 

45 ip_enq(ip, q->ipf_prev) ; 

next = 0; 

for (q = fp->ipq_next; q != (struct ipasfrag *)fp; q = q->ipf_next) { 
if (q->ip_off != next) 

return (0) ; 
next += q->ip_len; 

) 

if (q->ipf_prev->ipf_mf f ) 
return (0) ; 

/* 

* Reassembly is complete; concatenate fragments. 
*/ 

55 
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w 



25 



30 



35 



40 



50 



q = f p->ipq_next; 
m = dtom(q) ; 
't = m->m_next ; 
m->m_next = 0; 

_cat (m, t) ; 
q = q->ipf_next; 

while (q != (struct ipasfrag *)fp) { 
t = dtom(q) ; 
q = q->ipf_next ; 
m_cat (m, t) ; 

> 



/* 

* Create header for new ip packet by 

* modifying header of first packet; 

* dequeue and discard fragment reassembly header. 
15 * Make header visible. 

V 

ip = fp->ipq_next ; 
ip->ip_len = next; 

((struct ip *> ip) ->ip_src = fp->ipq_src; 
((struct ip M ip) ->ip_dst = fp->ipq_dst; 
20 remque(fp); 

(void) m_f ree (dtom( fp) ) ; 
m = dtom( ip) ; 

m->m_len + = <ip->ip_hl « 2); 
m->m_data -= (ip->ip_hl << 2); 

/* some debugging cruft by sklower, below, will go away soon */ 
if <m->m_flags & M_PKTHDR) ( /* XXX this should be done elsewhere V 
register int plen = 0; 
for (t = m; m; ra = m->m_next) 

plen += m->m_len ; 
t->m_pkthdr . len = plen; 

) 

return ((struct ip *)ip); 



dropf rag: 

ipstat. ips_fragdropped++; 
m_f reem(m) ; 
return (0); 

} 

/* 

* Free a fragment reassembly header and all 

* associated datagrams. 
*/ 

ip_freef (fp) 

struct ipq *fp; 

( 

register struct ipasfrag *q, *p; 



for (q = fp->ipq_next; q != (struct ipasfrag *)fp; q = p) { 
p = q->ipf_next; 
ip_deq(q) ; 

45 m_freem(dtom(q) ) ; 

} 

remque ( fp) ; 

(void) m_f ree (dtom{ fp) ) ; 

) 



* Put an ip fragment on a reassembly chain. 

* Like insque, but pointers in middle of structure. 

* / 

ip_enq(p, prev) 

register struct ipasfrag *p, *prev; 
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p->ipf__prev = prev; 
o->ipf_next = prev->ipf _next ; 
>rev-> ipf _next-> ipf _prev = p; 
prev->ipf _next = p; 



/* 

* To ip_enq as remque is to insque . 
V 

ip_deq{p) 

register struct ipasfrag *p; 

( 

p->ipf_prev->ipf_next = p->ipf_next; 
p->ipf_next->ipf_prev = p->ipf__prev; 

} 

/* 

* IP timer processing; 

* if a timer expires on a reassembly 

* queue, discard it. 
*/ 

ip_slowtimo () 
{ 

register struct ipq *fp; 
int s = spinet ( ) ; 



} 



fp = ipq. next; 
if (fp == 0) { 

splx(s) ; 

return; 

> 

while (fp != &ipq) { 

--fp->ipq_ttl; 
fp - fp->next; 

if ( fp->prev->ipq_ttl ==0) { 

ipstat . ips_f ragtimeout++; 
ip_freef (fp->prev) ; 

) 

> 

splx(s) ; 



/* 

* Drain off all datagram fragments. 
*/ 

ip_drain ( ) 
{ 

while (ipq. next != tipq) { 

ipstat. ips_fragdropped++; 
ip_f reef (ipq. next) ; 

) 

) 

extern struct in_ifaddr *ifptoia(); 
struct in_ifaddr *ip_rtaddr ( ) ; 



/* 

* Do option processing on a datagram, 

* possibly discarding it if bad options are encountered, 

* or forwarding it if source-routed. 

* Returns 1 if packet has been forwarded/ freed , 

* 0 if the packet should be processed further. 
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*/ 

ip_dooptions (m) 

struct mbuf *n; 

egister struct ip *ip = mtod(m, struct ip *); 
register u_char *cp; 
register struct ip_ time stamp *ipt; 
register struct in_ifaddr *ia; 

int opt, optlen, cnt, off, code, type = ICMP_PARAMPROB, forward = 0; 
struct in_addr *sin; 
n_time ntime; 



w 



cp = (u.char •) (ip + 1) ; 

cnt = (ip->ip_hl « 2) - sizeof (struct ip) ; 
for (; cnt > 0; cnt - = optlen, cp += optlen) 
opt = Cp[IPOPT_OPTVAL) ; 
if (opt == IPOPT_EOL) 
75 break; 

if (opt == IPOPT_N0P) 



else { 
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optlen = 1; 

optlen = cp[IP0PT_0LEN) ; 

if (optlen <- 0 | | optlen > cnt) { 

code = &cptIPOPT_0LEN] - (u.char *)ip; 

goto bad; 

) 



> 

switch (opt) { 
default: 

25 break; 

/* 

* Source routing with record. 

* Find interface with current destination address. 

* If none on this machine then drop if strictly routed, 
30 * or do nothing if loosely routed. 

* Record interface address and bring up next address 

* component. If strictly routed make sure next 

* address is on directly accessible net. 
*/ 

case IPOPT_LSRR: 
35 case IPOPT_SSRR: 

#ifdef MILKYWAY_BH 

/* Hung Vu Oct 28, 1994 

We simply do not understand source routing 

just return ICMP_UNREACH and SRC FAIL 

40 v 

40 type = ICMP_UNREACH ; 

code a ICMP_UNREACH_SRCFAIL; 
goto bad; 

#endif 

if ((Off = cp[IPOPT_OFFSET] ) < I POPT_MINOFF ) ( 
45 code a &cp(IP0PT_0FFSET] - (u_char *)ip; 

goto bad; 

} 

ipaddr . sin_addr = ip->ip_dst; 
ia = (struct in_ifaddr *) 

if a_ifwithaddr ( (struct sockaddr *)&ipaddr); 
50 if (ia == 0) { 

if (opt == IPOPT_SSRR) { 

type = ICMP_UNREACH; 

COde = ICMP_UNREACH_SRCFAIL; 

goto bad; 
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> 

* Loose routing, and not at next destination 

* yet; nothing to do except forward. 
V 

5 break; 

) 

off--; /* 0 origin */ 

if (off > optlen - sizeof ( struct in_addr) ) < 
/* 

* End of source route. Shoul'd be for us. 

10 */ 

save_rte(cp, ip->ip_src) ; 
break; 

} 

/* 

* locate outgoing interface 
*/ 

bcopy { (caddr_t) (cp + off), (caddr_t) &ipaddr . sin_addr , 

sizeof (ipaddr . sin_addr) ) ; 
if (opt == IPOPT_SSRR) { 
#define INA struct in_ifaddr * 

#define SA struct sockaddr * 

if (<ia = ( INA) if a_if withdstaddr ( (SA)&ipaddr) ) == C 
ia = in_iaonnetof (in_netof (ipaddr . sin_addr ) ) ; 
} else 

ia = ip_r taddr { ipaddr . s in_addr ) ; 
if (ia == 0) { 

type = ICMP_UNREACH; 
code = ICMP_UNREACH_SRCFAIL; 
25 goto bad; 

} 

ip - > ip_ds t = ipaddr . s in_addr ; 

bcopy( (caddr_t) &(IA_SIN(ia) ->sin_addr) , 

(caddr_t) (cp + off), sizeof (struct in_addr)); 
Cp[IPOPT_OFFSET] += sizeof ( struct in_addr) ; 
30 forward - 1; 

breaks- 
case IPOPT_RR: 

if ((off = cp[IPOPT_OFFSET) ) < IPOPT_MINOFF) ( 

code = &cp[IPOPT_OFFSET] - (u_char *)ip; 
« goto bad; 

> 

/* 

* If no space remains, ignore. 
V 

off--; /* 0 origin */ 

if (off > optlen - sizeof (struct in_addr) ) 
40 break* 

bcopy ( <caddr_t) (&ip->ip_dst) , (caddr_t )& ipaddr . sin_addi 
sizeof (ipaddr. sin_addr) ) ; 

/* 

* locate outgoing interface; if we're the destination, 

* use the incoming interface (should be same) . 

45 */ 

if ((ia = (INA) if a_if wi thaddr ( (SA)& ipaddr) ) == 0 && 
(ia = i p_r taddr (ipaddr . sin_addr) ) == 0) { 
type = ICMP_UNREACH; 
code = ICMP_UNREACH_HOST; 
goto bad; 

50 ) 

bcopy < (caddr_t) & (IA_SIN ( ia) ->sin_addr) , 

(caddr_t) (cp ♦ off), sizeof (struct in_addr) ) ; 
cp[ IPOPT_OFFSET] + = sizeof (struct in_addr) ; 
break; 
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case IPOPT_TS: 

code = cp - <u_char *)ip; 
ipt = (struct ip_timestamp *)cp; 
if (ipt->ipt_len < 5) 
5 goto bad; 

if (ipt->ipt_ptr > ipt->ipt_len - sizeof (long)) { 
if (-n-ipt->ipt_of lw == 0) 
goto bad; 

break; 

} 

w sin = (struct in_addr *)(cp + ipt->ipt_ptr - 1); 

switch (ipt->ipt_flg) { 

case IPOPT_TS_TSONLY: 
break; 

1S case IPOPT__TS_TSANDADDR: 

if (ipt->ipt_ptr + sizeof <n_time) + 

sizeof (struct in_addr) > ipt->ipt_len) 
goto bad; 
ia = ifptoia(m->m_jpkthdr .rcvif ) ; 
bcopy ( (caddr_t) &IA_SIN(ia) ->sin_addr , 

<caddr_t) sin, si zeof (struct in_addr) ) ; 
ipt->ipt_ptr += sizeof (struct in_addr) ; 
break; 
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case IPOPT_TS_PRESPEC: 

if ( ipt->ipt_ptr + sizeof (n_time) + 

sizeof (struct in_addr) > ipt->ipt_len) 
25 goto bad; 

bcopy ( (caddr_t) sin, (caddr_t ) tipaddr . sin_addr , 

sizeof ( struct in__addr) ) ; 
if <ifa_ifwithaddr< (SAUipaddr) == 0) 
continue; 

ipt->ipt_ptr += sizeof (struct in_addr) ; 
30 break; 

default : 

goto bad; 

} 

ntime = iptimeO; 

bcopy ( <caddr_t) &ntime, (caddr_t)cp + ipt->ipt_ptr - 1, 

sizeof (n_time) ) ; 
ipt->ipt_ptr += sizeof (n_time) ; 

} 

} 

if (forward) { 

if (ipforward__srcrt == 0) { 
type = ICMP_UNREACH; 
code = ICMP_UNREACH_SRCFAIL; 
goto bad; 

) 

ip_forward(m, 1); 
return ( 1 > ; 

45 } else 

return (0) ; 



35 



40 



bad: 
} 



icmp_error (m, type, code) ; 
return (1) ; 



50 

/* 

* Given address of next destination (final or next hop), 

* return internet address info of interface to be used to get there. 
V 
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struct in_ifaddr * 
ip_rtaddr (dst) 

struct in_addr dst; 

{ 

egister struct sockaddr_in *sin; 
sin = (struct sockaddr_in ♦) tipf orward.rt . ro_dst ; 

if <ipforward_rt.ro_rt == 0 | | dst.s_addr != sin->sin_addr . s_addr ) ( 
if ( ip forwarder t. ro_rt) { 

RTFREE(ipforward_rt .ro_rt> ; 
10 iof orward_rt . ro_rt = 0; 

) 

sin->sin_family = AF_INET; 
sin->sin_len = sizeof ( *sin) ; 
sin->sin_addr = dst; 

is rtalloc (&ipforward_rt) ; 

} 

if (ipf orward_rt . ro_rt 0) 

return ((struct in_ifaddr *)0); 
return ((struct in__ifaddr *) ipf orward_rt . ro_rt->rt_if a) ; 



20 



25 



* 

* Save incoming source route for use in replies, 

* to be picked up later by ip_srcroute if the receiver is interested. 



save_rte (option, dst) 

u_char * opt ion; 
struct in_addr dst; 



{ 



unsigned olen; 



olen = option[IPOPT_OLEN] ; 
#ifdef DEBUG 
30 if (ipprintfs) 

printf ( "save_rte: olen %d\n", olen) ; 

frendif J % % % 

if (olen > sizeof (ip_srcrt) - (1 + sizeof (dst) ) ) 
return; 

bcopy( (caddr_t) option, (caddr_t ) ip_srcrt . srcopt , olen) ; 
35 ip_nhops = (olen - IPOPT_OFFSET - 1) / sizeof ( struct in_addr) ; 

ip_srcrt.dst = dst; 

) 

/* 

* Retrieve incoming source route for use in replies, 
40 * in the same form used by setsockopt. 

* The first hop is placed before the options, will be removed later. 
*/ 

struct mbuf * 
ip_srcroute ( ) 

{ 

register struct in_addr *p, *q; 
45 register struct mbuf *m; 

if (ip_nhops == 0) 

return ((struct mbuf *) 0) ; 
m = m_get (M_DONTWAIT, MT_SOOPTS > ; 
if (m == 0) 

50 return ((struct mbuf *)0); 

#cefine OPTSIZ < sizeof < ip_srcrt . nop) + s izeof ( ip_srcrt . srcopt ) ) 

/* length is (nhops+l ) *sizeof (addr) + sizeof (nop + srcrt header) */ 
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m->m_len = ip_nhops * sizeof < struct in_addr) * sizeof (struct in__addr) + 
OPTSIZ; 

ttifdef DEBUG 

if (ipprintfs) , rtj , _ ^ m , „ . . 

printf ( "ip_srcroute: nhops %d mien %d", ip_nhops . m->m_len) , 

»endif 

/* 

* First save first hop for return route 
w * / 

p = &ip_srcrt . route [ip_nhops -1); ' 
Mmtod(m, struct in_addr *)) = *p--; 
aifdef DEBUG 

if Uppr £" n £ f ( „ hQps %lx « f ntohl (mtod(m, struct in_addr * ) ->s_addr ) ) ; 

75 #endif 

/ * 

* Copy option fields and padding (nop) to mbuf. 
*/ 

ip_srcrt.nop = IPOPT_NOP; 

ip_srcrt.Srcopt[IPOPT_OFFSET] = IPOPT.MINOFF; 
bcopy ( (caddr_t) &ip_srcrt . nop, 

mtod(m, caddr_t) + sizeof ( struct in_addr) , OPTSIZ); 
q = (struct in_addr *)(mtod(m, caddr_t) + 
sizeof (struct in_addr) + OPTSIZ); 
#undef OPTSIZ 
/* 

* Record return path as an IP source route, 

* reversing the path (pointers are now aligned) . 
*/ 

while (p >= ip_srcrt. route) { 
#ifdef DEBUG 

if (ipprintfs) 

printfC* %lx" , ntohl <q->s_addr )) ; 

#endif 

*q+ + = *p — ; 

} 

/* 

* Last hop goes to final destination. 

35 */ 

*q = ip_srcrt .dst ; 
#ifdef DEBUG 

if (ipprintfs) 

printfC %lx\n", ntohl (q->s_addr )) ; 

#endif 

40 return (m) ; 

> 

/* 

* Strip out IP options, at higher 

* level protocol in the kernel. 

* Second argument is buffer to which options 

45 * will be moved, and return value is their length. 

* XXX should be deleted; last arg currently ignored. 
*/ 

ip_stripoptions (m, mopt) 

register struct mbuf *m; 
struct mbuf *mopt; 

50 { 

register int in- 
struct ip *ip = mtod(m, struct ip *) ; 
register caddr_t opts; 
int olen; 

55 Olen = (ip->i?_hl<<2) - sizeof (struct ip) ; 
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opts = (caddr_t ) ( ip + 1); 

i = m->m_len - (sizeof (struct ip) + olen) ; 
bcopy(opts + olen, opts, (unsigned) i ) ; 
m->m__len -= olen; 
If (m->m_flags & M_PKTHDR) 

m->m_pkthdr . len -= olen; 
ip->ip_hl = sizeof (struct ip) >> 2; 



) 



u_char inetctlerrmap [ PRC_NCMDS1 = { 

0, 0, 0, 0, ' 

W 0, EMSGSIZE, EHOSTDOWN, EHOSTUNREACH , 

EHO STUNRE AC K , EHOSTUNREACH , ECONNREFUSED , ECONNREFUSED , 

EMSGSIZE, EHOSTUNREACH , 0, 0, 

0, 0, 0, 0, 



ENOPROTOOPT 



}; 



15 
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* Forward a packet. If some error occurs return the sender 

* an icmp packet. Note we can't always generate a meaningful 

* icmp message because icmp doesn't have a large enough repertoire 

* of codes and types . 
* 

* If not forwarding, just drop the packet. This could be confusing 

* if ipforwarding was zero but some routing protocol was advancing 

* us as a gateway to somewhere. However, we must let the routing 

* protocol deal with that. 
* 

* The srcrt parameter indicates whether the packet is being forwarded 
25 * via a source route. 

*/ 
void 

ip-f orward (m. srcrt) 

struct mbuf *m; 
int srcrt; 

30 { 

register struct ip *ip = mtod(m, struct ip *) ; 
register struct sockaddr_in *sin; 
register struct rtentry *rt; 
int error, type = 0, code; 
struct mbuf *mcopy; 
struct in_addr dest; 

dest.s_addr = 0; 
Kifdef DEBUG 

if (ipprintfs) 

printf( "forward: src %x dst %x ttl %x\n n , ip->ip_src, 
40 ip->ip_dst, ip->ip_ttl) ; 

1 flendif 

if (m->m_f lags & M_BCAST || in_canf orward ( ip->ip_dst) == 0) ( 
ipstat. ips_cantforward++; 
m_freem(m) ; 
return; 

45 HTONS(ip->ip_id) ; 

if (ip->ip_ttl <= IPTTLDEC) { 

icmp_error (m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS ( dest) 
return; 

) 

ip->ip_ttl -= IPTTLDEC; 



35 
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sin = (struct sockaddr_in * ) &ipf orward_rt . ro_dst ; 
if (<rt = ipforward_rt . ro_rt) == 0 | | 

ip->ip_dst . s_addr != sin->s in_addr . s_addr ) { 
if (ipf orward_rt . ro_rt) ( 
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RTFREE(ipforward__rt .ro_rt) ; 
ipf orward.rt . ro_rt = 0; 

} 

sin->sin_f amily = AF_INET; 
sin->sin_len = sizeof ( * sin) ; 
5 sin->sin_addr = ip->ip_dst; 

rtalloc (&ipforward_rt) ; 

if (ipforward_rt . ro_rt ==0) { 

icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, dest) ; 

return; 

10 ) 

rt ~ ipforward_rt . ro_rt; 

) 

/* 

* Save at most 64 bytes of the packet in case 

15 * we need to generate an ICMP message to the src. 

* / 

mcopy = m_copy(m, 0, imin ( ( int ) ip->ip_len, 64)); 

#ifdef GATEWAY 

ip_ifmatrix[rt->rt_ifp->if_index + 

if_index * m->m_pkthdr .rcvif->if_index) 

20 #endif 

/* 

* If forwarding packet using same interface that it came in on, 

* perhaps should send a redirect to sender to shortcut a hop. 

* Only send redirect if source is sending directly to us, 

* and if packet was not source routed (or has any options). 

25 * Also, don't send redirect if forwarding using a default route 

* or a route modified by a redirect. 
*/ 

#define satosin(sa) ((struct sockaddr_in M(sa>) 

if (rt->rt_ifp == m->m_pkthdr . rcvif && 

<rt->rt_f lags & ( RTF_DYNAMIC | RTF_MODIFIED) ) == 0 && 
30 satosin(rt_key (rt ) ) ->sin_addr . s_addr ! = 0 && 

ipsendredirects && isrcrt) { 
struct in_ifaddr *ia; 

u_long src = ntohl ( ip->ip_src . s_addr ) ; 
u_ long dst = ntohl { ip->ip_dst. s_addr) ; 

35 if ((ia = ifptoia(m->m_pkthdr.rcvif ) ) 

(src & ia->ia_subnetmask) -- ia->ia_subnet) { 
if (rt->rt_flags & RTF_GATEWAY) 

dest = satosin(rt->rt_gateway) ->sin_addr ; 

else 

dest = ip->ip_dst; 

/ * 

40 * if the destination is reached by a route to host, 

* is on a subnet of a local net, or is directly 

* on the attached net (!), use host redirect. 

* (We may be the correct first hop for other subnets.) 
V 

#define RTA(rt) ((struct in_ifaddr * ) ( rt->rt_if a) ) 
45 type = ICMP_REDIRECT; 

if ( <rt->rt_f lags & RTF_HOST) || 

(rt->rt_f lags & RTF_GATEWAY) == 0) 
code = lCMP_REDIRECT_HOST; 
else if (RTA(rt) ->ia_subnetmask != RTA(rt) ->ia_netmask && 
(dst & RTA(rt) ->ia_netmask) == RTA ( r t ) - > i a_ne t ) 
50 code = ICMP_REDIRECT_HOST; 

else 

code = ICMP_REDIRECT_.NET ; 



ttifdef DEBUG 



if (ipprintfs) 



ss 
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printf ("redirect (%d) to %x\n" , code, des t . s_addr ) ; 



#ifdef DI RECTED_BROADCAST 

error = ip_output(m, (struct mbuf *)0, &ipf orward_rt . 
I P_ FO RWARD I NG | I P_ALL0WBROADCAST) ? 



#else 
w #endif 



error = ip_output(m. (struct mbuf *)0. &ipf orward_rt , I P_FOR WARDING) ; 



if (error) 

ipstat. ips_cantf orward++; 

else { 

ipstat. ips_forward++; 
if (type) 

ipstat . ips_redirectsent++; 

else { 

if (mcopy) 

m_freem (mcopy) ; 

return; 

} 

> 

20 if (mcopy — NULL) 

return; 
switch (error) { 

case 0: /* forwarded, but need redirect */ 

/* type, code set above */ 
25 break; 

case ENETUNREACH: /* shouldn't happen, checked above */ 

case EHOSTUNREACH : 
case EN ET DOWN : 
case EHOSTDOWN: 
30 default: 

type = ICMP_UNREACH; 
code = ICMP_UNREACH_HOST; 
break; 



case EMSGSIZE: 

type = ICMP_UNREACH ; 
code = ICMP_UNREACH_NEEDFRAG; 
ipstat. ips_cantf rag++ ; 
break; 

case ENOBUFS: 

type = ICMP_SOURCEQUENCH; 
40 code = 0; 

break; 

) 

icmp_error (mcopy, type, code, dest) ; 
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BSOI $Id: in_pcb.c,v 1.1.1.1.4.1 1994/11/16 15:11:14 mcr Exp $ 
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Copy : ght (c) 1982, 1986, 1991 Regents of the University of California. 
All ghts reserved. 

Redistribution and use in source and binary forms, with or without 
modification, are permitted provided that the following conditions 
are met: , 

1. Redistributions of source code must retain the above copyright 
notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright 
notice, this list of conditions and the following disclaimer in the 
documentation and/or other materials provided with the distribution. 

3. All advertising materials mentioning features or use of this software 
must display the following acknowledgement: 

This product includes software developed by the University of 
California, Berkeley and its contributors. 

4. Neither the name of the University nor the names of its contributors 
may be used to endorse or promote products derived from this software 
without specific prior written permission. 

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS X ^AS IS ' AND 
ANY EXPRESS OR IMPLIED WARRANTIES , INCLUDING, BUT NOT LIMITED TO, THE 
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY , OR CONSEQUENTIAL 
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
LIABILITY, OR TORT { INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
SUCH DAMAGE. 



§ (#) in_pcb.C 



7.14 (Berkeley) 4/20/91 
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ftinclude 
ft include 
ft include 
ft include 
ft inc lude 
ft include 
ft include 
ft inc lude 
ft include 



"par am. h" 
"sys tm. h" 
•malloc.h" 
"mbuf .h" 
"proc . h" 
"protosw.h" 
"socket . h" 
"socketvar .h" 
■ ioctl . h" 



40 



45 



ftinclude 
ft include 

ftinclude 
ftinclude 
ftinclude 
ftinclude 
ft include 
ft include 



" . . /net/if .h" 
• . . /net/route. h" 

•in.h" 

■ in_systm. h" 
"ip.h" 
"in_pcb.h* 
" in_var.h" 
" ip_var . h" 



50 



ftdefine ANY_PORT 

ftdefine OPENWlN_PORT 

ftdefine XWINDOW_PORT 

ftdefine SYSLOGD_PORT 



htons (59813) 
htons (2000) 
htons (6000) 
htons (514) 



struct in_addr zeroin_addr; 
struct inpcb * 
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in_j?cblokup(head, faddr, fport, laddr, lport, flags) 
struct inpcb *head; 
struct in_addr faddr, laddr; 
\_short fport, lport; 
.nt flags; 



{ 



register struct inpcb *inp, *match = 0; 
int matchwild = 3 , wildcard; 

for (inp = head->inp_next ; inp != head; inp = inp->inp_next) { 
if (inp->inp_lport != lport) 

continued- 
wildcard = 0; 

if (inp->inp_laddr.s_addr != INADDR_ANY) { 
if ( laddr. s_addr == INADDR_ANY) 
wildcard**; 

else if (inp->inp_laddr . s_addr != laddr . s_addr) 
continue; 

> else { 

if (laddr . s_addr != INADDR_ANY) 
wildcard**; 

> 

if (inp->inp_faddr.s_addr != I NAD DR_ ANY ) { 
if ( faddr. s_addr == INADDR_ANY) 
wildcard**; 

else if <inp->inp_f addr .s_addr != faddr. s_addr || 
inp->inp__fport != fport) 
continue; 

) else { 

if ( faddr. s_addr != INADDR_ANY) 
wildcard**; 

) 

if (wildcard (flags & INPLOOKUP_WILDCARD) == 0) 

continue; 
if (wildcard < matchwild) { 

match = inp; 

matchwild = wildcard; 

if (matchwild == 0) 
break; 

) 

} 

return (match) ; 



) 



in_pcballoc (so, head) 

struct socket *so; 
struct inpcb *head; 



{ 



struct mbuf *m; 

register struct inpcb *inp; 



m = m_getclr (M_DONTWAIT, MT_PCB) ; 
if (m == NULL) 
45 return (ENOBUFS) ; 

inp = mtod(m, struct inpcb *); 
inp->inp__head = head; 
inp->inp_socket = so; 
insque(inp, head) ; 
so->so_j?cb = (caddr_t ) inp; 
return (0) ; 
) 

in__pcbbind ( inp, nam) 

register struct inpcb *inp; 
struct mbuf *nam; 

55 { 
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register struct socket *so = inp->inp_socket ; 
register struct inpcb *head = inp-> inp__head; 
register struct sockaddr_in *sin; 

struct proc *p = curproc; /* XXX */ 

._short Iport = 0; 
int wild = 0; 

if <in_ifaddr == 0) 

return ( EADDRNOTAVAIL) ; 
if (inp->inp_lport || inp->inp_laddr . s_addr != INADDR_ANY) 

return (EINVAL) ; 

if ( (so->SO_options & SO_REUSEADDR) == 0 && 

< (so->so_proto->pr_f lags & PR__CONNREQU I RED ) == 0 | | 
(so->so_options & SO_ACCEPTCONN) — 0)) 
wild = INPLOOKUP^WILDCARD; 

if (nam == 0) 

goto noname; 
sin = mtod(nam, struct sockaddr_in *); 
if (nam->m_len != sizeof (*sin)) 

return (EINVAL) ; 
if (sin->sin_addr . s_addr != INADDR_ANY) { 

int tport = sin->sin__port ; 

sin->sin_port = 0; /* yech. . . */ 

if (ifa_ifwithaddr ( (struct sockaddr *)sin) == 0) 

return (EADDRNOTAVAIL) ; 
sin->sin_port - tport ; 

} 

lport = sin->sin_port ; 
if (lport) { 

u.short aport = ntohs ( lport ) ; 



/* GROSS */ en 
if (aport < I PPORT_RESERVED && suser (p->p_ucred , &p->p_acf lag) ) 
30 return (EACCES) ; 

if ( in_pcblokup (head, 

zeroin_addr, 0, sin->sin_addr , lport, wild)) 
return (EADDRINUSE) ? 

inp-> inp_laddr = sin->sin_addr ; 

35 noname : 

if (lport == 0) 
do { 

if (head->inp_lport + + < I PPORT_RE SERVED | | 
head->inp_lport > IPPORT_USERRESSRVED) 
head->inp_lport = IPPORT_RES2RVED; 
lport = htons (head->inp_lport ) ; 

40 #ifdef MILKYWAY_3H 

if (lport == AN Y_ PORT) lport++; 

#endif 

> while ( in_pcblokup(head, 

zeroin_addr ( 0, inp->inp_laddr , lport, wild) ) ; 

inp->inp_lport = lport; 
^5 return (0) ; 

) 

/ 



* Connect from a sccket to a specified address. 

* Both address and port must be specified in argument sin. 

* If don't have a local address for this socket yet, 

* then pick one. 
*/ 

in_pcbconnect ( inp, nam) 

register struct inpcb *inp; 
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struct mbuf *nam; 

( 

struct in_ifaddr *ia; 
^truct sockaddr_in *ifaddr; 
agister struct sockaddr_in *sin = mtod<nam, struct sockaddr_in *); 

if (nam->m_len != sizeof (*sin)) 

return (EINVAL) ; 
if (sin->sin_family ! = AF__INET) 

return ( EAFNOSUPPORT) ; 
if (s in->sin_port == 0 ) 
10 return < EADDRNOTAVAIL) ; 

if (in_ifaddr) { 

/* 

* If the destination address is INADDR_ANY, 

* use the primary local address. 

* If the supplied address is INADDR_BR0ADCAST, 

* and the primary interface supports broadcast, 

75 * choose the broadcast address for that interface. 

*/ 

#define satosin(sa) ((struct sockaddr_in *) (sa)) 

if <sin->sin_addr . s_addr == inaddr_ANY) 

sin->sin_addr = IA_SIN< in_if addr ) ->s in_addr; 
else if (sin->sin_addr . s_addr -= (u_long) 1NADDR_BR0ADCAST && 
20 (in_ifaddr->ia_ifp->if_flags & IFF_BROADCAST) ) 

sin->sin_addr = satosin(&in_if addr->ia_broadaddr ) ->sin_addr; 

} 

if (inp->inp_laddr.s_addr == INADDR_ANY) { 
register struct route *ro; 
struct ifnet *ifp; 

25 ia = (struct in_ifaddr *)0; 

/* 

* If route is known or can be allocated now, 

* our src addr is taken from the i/f, else punt. 
V 

ro = &inp->inp_route; 
30 if (ro->ro_rt && 

(satosin(&ro->ro_dst> ->sin_addr . s_addr ! = 

sin->sin_addr . s_addr || 
inp->inp_socket->so_options & S0_D0NTR0UTE) ) { 
RTF REE ( ro - > r o_r t ) ; 
ro->ro_rt = (struct rtentry *)0; 

if < (inp->inp_socket->so_options & SO_DONTROUTE) == 0 && /*XXX*/ 
(ro->ro_rt == (struct rtentry *)0 || 
ro->ro_rt->rt_ifp == (struct ifnet *)0)) { 

/* No route yet, so try to acquire one */ 
ro->ro_dst . sa_family = AF_INET; 

rc->ro_dst . sa_len = si zeof (struct sockaddr_in) ; 
40 ((struct sockaddx_in *) &ro->ro_dst) ->sin_addr = 

sin->sin_addr ; 
rtalloc (ro) ; 

> 

/* 

* If we found a route, use the address 

45 * corresponding to the outgoing interface 

* unless it is the loopback (in case a route 

* to our address on another net goes to loopback) . 
*/ 

if (ro->ro_rt && (ifp = ro->ro_rt->rt_if p) 
(ifp->if_f lags & iff_loopback) == 0 && 
(ia = (struct in_ifaddr * ) ro->ro_rt->rt_i f a) == 0) 
50 for (ia = in_ifaddr; ia; ia = ia->ia_next) 

if (ia->ia_ifp == ifp) 
break; 
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) 

#ifdef MULTICAST 

/ 



if (ia == 0) { 

int fport = sin->sin_port ; 

sin->sin__port = 0; 

ia = (struct in_ifaddr *) 

ifa_ifwithdstaddr( (struct sockaddr Msin); 
sin->sin_port = fport; 

if (ia ==0) ^ % . 

ia = in_iaonnetof (in_netof <sin->sm_addr) ) ; 

if (ia 0) 

ia = in_ifaddr; 
if (ia == 0) 

return (EADDRNOTAVAIL) ; 



If the destination address is multicast and an outgoing 

* interface has been set as a multicast option, use the 

* address of that interface as our source address. 
*/ 

if (IN_MULTICAST(ntohl ( sin->sin_addr . s_addr ) ) && 
inp->inp_mopt ions != NULL) { 
struct ip_moptions *imo; 
struct ifnet *ifp; 



imo = inp ->inp_mopt ions ; 
if (imo->imo_multicast_ifp != NULL) ( 
ifp = imo->imo_multicast_if p; 
for (ia = in_ifaddr; ia; ia = ia->ia_next) 
if (ia->ia_ifp == ifp) 
25 break; 

if (ia == 0) 

return (EADDRNOTAVAIL) ; 

} 

} 

#endif , . . s . 

ifaddr = (struct sockaddr_m *)&ia->ia_aadr; 

if ( in_pcblokup ( inp-> inp_head , 
sin->sin_addr , 

sin->sin_port , . . 

inp->inp_laddr.s_addr ? inp->inp_laddr : if addr->sin_addr , 

inp->inp_lport, 
0)) 

return (EADDRINUSE) ; 
if (inp->inp_laddr.s_addr == INADDR_ANY) { 
if ( inp->inp__lport ==0) 

(void) in_pcbbind(inp, (struct mbuf *)0); 
inp->inp_laddr = i f addr - > s i n_addr ; 

40 } 

inp->inp_f addr = sin->sin_addr; 
inp->inp_fport = sin->sin_port; 
return (0) ; 

> 

45 in_pcbd is connect (inp) 

struct inpcb *inp; 

{ 

inp ->inp_f addr . s_addr = INADDR.ANY; 
inp->inp_fport = 0; 

if (inp->inp_socket->so_state & SS_NOFDR£F) 
in_pcbdetach(inp> ; 
) 

in_pcbdetach ( inp) 

55 
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struct inpcb *inp; 

struct socket *so = inp->inp_socket ; 

o->so_pcb = 0; 
sof ree ( so) ; 
if ( inp->inp_options) 

<void)m_f ree { inp->inp_options ) 
if ( inp->inp_route. ro_rt) 

r tf ree ( inp->inp_route . ro_rt ) ; 

#ifdef MULTICAST 



m 



if ( inp ->inp_mopt ions) 

ip_f reemoptions (inp->inp_moptions) ; 



remque ( inp) ; 
(void) m_free (dtom( inp) ) ; 

) 

15 

in_setsockaddr ( inp, nam) 

register struct inpcb *inp; 
struct mbuf *nam; 



register struct sockaddr_in *sin; 



20 



nam->m_len = sizeof (*sin); 
sin = mtod(nam, struct sockaddr_in *); 
bzero< (caddr_t) sin, sizeof ( *sin) ) ; 
sin->sin_family = AF_INET; 
sin->sin_len = sizeof < *sin) ; 
sin->sin_port = inp->inp_lport; 
25 sin->sin_addr = inp->inp_ laddr ; 

> 



in_setpeeraddr ( inp , nam) 

struct inpcb *inp; 
struct mbuf *nam; 



30 { 



register struct sockaddr_in *sin; 



nam->m_len = sizeof (*sin); 
sin = mtod(nam, struct sockaddr_in *); 
bzero ( (caddr_t) sin, sizeof <*sin) ) ? 
35 sin->sin_f amily = AF_INET; 

sin->sin_len = sizeof ( *sin) ; 
sin->sin_port = inp- >inp_f port ; 
sin->sin_addr = inp->inp_f addr ; 



* Pass some notification to all connections of a protocol 

* associated with address dst. The local address and/or port numbers 

* may be specified to limit the search. The "usual action" will be 

* taken, depending on the ctlinput cmd. The caller must filter any 

* cmds that are uninteresting (e.g., no error in the map). 

* Call the protocol specific routine (if any) to report 
45 * any errors for each matching socket. 

* 

* Must be called at spinet. 
V 

in_pcbnotify (head, dst, fport, laddr, lport, cmd, notify) 
struct inpcb *head; 
so struct sockaddr *dst; 

u_short fport, lport; 
struct in_addr laddr; 
int cmd, ( *notify) ( ) ; 
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register struct inpcb *inp, *oinp; 

struct in_addr faddr; 

int errno; 

\nt in_rtchange ( ) ; 

jxtern u_char inetctlerrmap () ; 

if ( (unsigned) cmd > PRC_NCMDS || dst->sa_family != AF_INET> 
return; 

faddr = {(struct sockaddr__in * ) dst) ->sin_addr ; 
if ( faddr . s_addr == INADDR.ANY) 
return; 



* Redirects go to all references to the destination, 

* and use in_rtchange to invalidate the route cache. 

* Dead host indications: notify all references to the destination. 

* Otherwise, if we have knowledge of the local port and address, 

* deliver only to that socket. 
*/ 

if <PRC_IS_REDIRECT(cmd) || cmd == PRC_HOSTDEAD) { 
fport = 0; 
lport = 0; 
laddr. s_addr = 0; 
if (cmd != PRC__HO STDE AD ) 

notify = in_rtchange; 

errno = inetctlerrmap [cmd] ; 

for (inp = head->inp_next ; inp != head;) ( 

if (inp->inp_faddr. s_addr • = faddr. s_addr || 
inp->inp_socket == 0 | | 
(lport && inp->inp_lport != lport) || 

{ laddr . s_addr && inp->inp_laddr . s_addr != laddr . s_addr ) 
(fport Sc&. inp->inp_fport != fport)) { 

inp = inp->inp_next ; 

continue; 

) 

oinp = inp; 

inp = inp->inp_next ; 

if (notify) 

(•notify) (oinp, errno); 

) 

) 



* Check for alternatives when higher level complains 

* about service problems. Fcr now, invalidate cached 

* routing information. If the route was created dynamically 

* (by a redirect) , time to try a default gateway again. 
V 

inclosing ( inp) 

struct inpcb *inp; 

{ 

register struct rtentry *rt; 

if ((rt = inp->inp_route. ro_rt) ) ( 

rt_missmsg (RTM_LOSING , &inp-> inp_route . ro_dst , 

rt->rt_gateway, (struct sockaddr * ) rt_mask (rt ) , 
(struct sockaddr *)0, rt->rt_f lags , 0) ; 
if <rt->rt_flags & RTFJDYNAMIC) 

(void) rt request (RTM_DELETE, rt_key(rt) , 

rt->rt_gateway, rt_mask(rt) , rt->rt_f lags , 
(struct rtentry **)0); 
inp->inp_route . ro_rt = 0; 
rtfree(rt) ; 
/* 

* A new route can be allocated 
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* the next time output is attempted. 
*/ 



* After a routing change, flush old routing 

* and allocate a (hopefully) better one. 
V 

10 in_rtchange( inp) 

register struct inpcb *inp; 



< 



if ( inp->inp_route. ro_rt) { 

rtf ree(inp->inp_route. ro_rt) ; 
inp->inp_route.ro_rt = 0; 

* A new route can be allocated the next time 

* output is attempted. 
*/ 

} 



struct inpcb * 

in_pcblookup(head, faddr, fport, laddr, lport, flags) 
struct inpcb *head; 
struct in_addr faddr, laddr; 
u_short fport, lport; 
25 int flags; 



< 



register struct inpcb *inp, *match = 0; 
int matchwild = 3, wildcard; 



for (inp = head->inp_next; inp != head; inp = inp->inp_next) { 

if (inp->inp_lport != lport) 

#ifdef MILKYWAY_BH , ■ ^ ™* 

if ( (inp->inp_lport ! = ANY_PORT) || ( laddr . s_addr == IMA 

DDR_LOO PB AC K ) ) 
#endif 

continue; 

^ #ifdef MILKYWAY_BH^ ^ ^ ^ ^ 0 PENWIN_PORT> || (lport == XWINDOW_P0RT) || ( lpo 

rt == SYSL0GD_P0RT) ) && ( laddr . s_addr != INADDR_LOOPBACK) ) continue; 
ttendif 

wildcard = 0; 

if (inp->inp_laddr.s_addr != INADDR_ANY) { 
if ( laddr. s_addr == INADDR.ANY) 
wildcard* 

else if (inp->inp_laddr.s_addr != laddr . s_addr) 
continue; 
} else ( 

if (laddr .s_addr != INADDR_ANY) 
wildcard++; 

45 if (inp->inp_faddr.s_addr != INADDR_ANY) { 

if (faddr .s_addr == inaddr_any) 
wildcard++; 

else if (inp->inp_faddr.s_addr != faddr . s_addr || 
inp->inp_fport != fport) 
continue; 

so ) else { 

if (faddr . s_addr != I NADD R_ANY ) 
wildcard**; 

if (wildcard && (flags & INPL00KUP_WILDCARD) == 0) 
continue; 
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(wildcard < rnatchwild) { 
match = inp; 
rnatchwild = wildcard; 
if (rnatchwild == 0) 
break; 
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if 



} 

} 

return (mat< 
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BSDI Sid: ip_icmp.c,v 1.1.1.1.4.1 1994/11/16 15:11:15 mcr Exp $ 

Copyright (c) 1982, 1986, 1989, 1993 

agents of the University of California. All rights reserved. 



* Redistribution and use in source and binary forms, with or wichout 

* modification, are permitted provided that the following conditions 

* are met: 

* 1. Redistributions of source code must retain the above copyright 

* notice, this list of conditions and the following disclaimer. 

* 2. Redistributions in binary form must reproduce the above copyright 

* notice, this list of conditions and the following disclaimer in the 

* documentation and/or other materials provided with the distribution. 

* 3. All advertising materials mentioning features or use of this software 

* must display the following acknowledgement: 

15 * This product includes software developed by the University of 

* California, Berkeley and its contributors. 

* 4. Neither the name of the University nor the names of its contributors 

* may be used to endorse or promote products derived from this software 

* without specific prior written permission. 

20 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS ' * AND 

* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 

* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 

* ARE DISCLAIMED . IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 

* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 

* DAMAGES ( INCLUDING , BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 

* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 

* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 

* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 

* SUCH DAMAGE. 



@(#) ip_icmp.c 7.15 (Berkeley) 4/20/91 



& include 


"param. h" 


#include 


■ sy s tm . h " 


# include 


■malloc. h" 


# include 


-mbuf .h" 


W include 


"protosw.h" 


& include 


"socket . h" 


# include 


"time.h" 


# include 


"kernel. h" 


# include 


* . . /net/route . h" 


# include 


- . . /net/if .h- 


# include 


"in. h" 


# include 


■ in_systm. h* 


# include 


" in_var . h" 


#include 


-ip. h M 


# include 


* ip_icmp.h" 


# include 


" icmp_var . h M 


/* 
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* ICMP routines: error generation, receive packet processing, and 

* routines to turnaround packets back to the originator, and 

* host table maintenance routines. 
•/ 

#ifdef ICMPPRINTFS 

int icmpprintfs = 0; 

#endif 

extern struct protosw inetswU ; 
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* Generate an error packet of type error 

* in response to bad packet ip . 
V 

/*VARARGS3V 

icmp_error <n, type, code, dest) 
struct mbuf *n; 
int type, code; 
struct in_addr dest; 

register struct ip *oip = mtod(n, struct ip *), *nip; 
register unsigned oiplen = cip->ip_hl << 2; 
register struct icmp *icp; 
register struct mbuf *m; 
unsigned icmplen; 

#ifdef ICMPPRINTFS 

if ( icmpprint f s ) _ . 

printf <" icrnp_error<%x, %d, %d)\n-, oip, type, code); 



#endif 



#else 
#endif 



Hung Vu Oct 28, 1994 
Just ignore ICMP REDIRECT 



#ifdef MILKYWAY_BH 

if (type == ICMP — REDIRECT) goto freeit; 
else icmpstat. icps_error++; 



if (type != ICMP_ REDIRECT) 

icmpstat . icps_error++ ; 
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* Don't send error if not the first fragment of message. 

* Don't error if the old packet protocol was ICMP 

* error message, only known informational types. 

* / 

if <oip->ip_off &~ (IP_MF|IP_DF) ) 
goto freeit; 

if (oip->ip_P == IPPROT0_ICMP type != ICMP_REDIRECT && 
n->m_len >= oiplen + icmp_minlen && 

! ICMP_lNFOTYPE( < (struct icmp * ) ( ( caddr_t ) oip + oiplen) ) ->icmp_type) ) 
icmpstat. icps_oldicmp++ ; 
goto freeit; 

/* Don't send error in response to a multicast or broadcast packet */ 
if (n->m_flags & (M_MCAST | M_BCAST> ) 
goto freeit; 

/* 

* First, formulate icmp message 
* / 

m = m_gethdr ( M_DONTWAIT , MT_HEADER) ; 
if (m = = NULL) 

goto freeit; 
icmplen = oiplen + min(8, oip->ip_len) ; 
m->m_len = icmplen + ICMP_MINLEN; 
MH_ALIGN(m, m->m_len) ; 
icp = mtod(m. struct icmp *}; 
if ((u_int)type > ICMP_MAXTYPE) 

panic (" icmp_error " ) ; 
icmpstat . icps_outhist [ type) ++ ; 
icp->icmp_type = type; 
if (type = = ICMP_REDIRECT) 

icp->icmp_gwaddr = dest; 

else 

icp->icmp_void = 0; 
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if. (type ICMP_PARAMPROB) { 

icp->icmp_pptr = code; 
code = 0; 

> 

cp->icmp_code = code; 
bcopy< (caddr_t) oip, (caddr_t) &icp-> icmp_ip, icmplen) ; 
nip = &icp->icmp_ip; 

nip->ip_len = htons ( (u_short) (nip->ip_len + oiplen)); 



w 



/* 

* Now, copy old ip header (without options) 

* in front of icmp message. 
*/ 

if (m->m_data - sizeof ( struct ip) < m->m__pktdat) 
panic ("icmp len") ; 
15 m->m_data - = sizeof (struct ip) ; 

m->m_len += sizeof ( struct ip) ; 

m->m_jpkthdr . len = m->m_len; 

m->m_pkthdr . rcvif = n->m_pkthdr . rcvif ; 

nip = mtod(m, struct ip *)? 

bcopy( (caddr_t) oip, (caddr_t) nip, oiplen) ; 
20 nip->ip_len = m->m_len; 

nip->ip_hl = sizeof (struct ip) » 2; 

nip->ip_p = IPPRCTO_ICMP; 

icmp_ref lect (m) ; 

f reeit : 
25 m_f reem(n) ; 

} 

static struct sockproto icmproto = { AF_INET, IPPR0T0_ICMP ); 

static struct sockaddr_in icmpsrc = { sizeof (struct sockaddr_in) , AF_INET }; 
static struct sockaddr_in icmpdst = { sizeof (struct sockaddr_in) , AF_INET }; 
30 static struct sockaddr_in icmpgw = { sizeof (struct sockacdr_in) , AF_TNET In- 
struct sockaddr_in icmpmask = { 8, 0 }; 
struct in_ifaddr *ifptoia(); 

/* 

* Process a received ICMP message. 

35 V 

icmp_input (m, hlen) 

register struct mbuf *m; 
int hlen; 

{ 
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register struct icmp *icp; 
register struct ip *ip = mtod(m, struct ip *); 
int icmplen = ip->ip_len; 
register int i; 
struct in_ifaddr *ia; 
int ( *ctlfunc) ( ) , code; 
extern u_char ip_protox [ 3 ; 
extern struct in_addr in_makeaddr ( ) ; 

/* 

* Locate icmp structure in mbuf, and check 

* that not corrupted and of at least minimum length. 
*/ 

#ifdef ICMPPRINTFS 

if (icmpprintfs) 

print f ( "icmp_input from %x, len %d\n", ip->ip_src, icmplen) 

#endif 

if (icmplen < ICMP_MINLEN) { 

icmpstat. icps_tooshort++; 
ooto freeit; 

} 

i = hlen + MIN(icmplen, ICMP_ADVLENMIN) ; 
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if. (m->m_len < i && (m = m_pullup(m, i) ) == 0) { 
icmpstat. icps_tooshort++ ; 
return; 

p = mtod(m, struct ip *) ; 
m->m_len -= hlen; 
m->n\_data += hlen; 
icp = mtod(m, . struct icmp *); 
if (in_cksum(m, icmplen) ) { 
10 icmpstat . icps_chec)csum++ ; 

goto freeit; 

) 

m->m_len += hlen; 
m->m_data -= hlen; 

'5 #ifdef ICMPPRINTFS 
/* 

* Message type specific processing. 
*/ 

if (icmp ^^ f ^ icmp ^ input:/ type %d co de %d\n\ icp- >icmp_ type , 
20 icp->icmp_code) ; 

#endif 

if <icp->icmp_type > ICMP_MAXTYPE> 
goto raw; 

icmpstat . icps_inhist [ icp->icmp_type J ++; 
code = icp->icmp_code; 
25 s wi tch ( i cp-> icmp_type ) { 

case ICMP_UNREACH : 

if (code > 5) 

goto badcode; 
code += PRC__UNREACH_NET; 
30 goto deliver; 

case ICMP_TIMXCEED: 

if (code > 1) 

goto badcode; 
code += PRC_TIMXCEED_INTRANS ; 
goto deliver; 
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case ICMP_PARAMPROB: 
if (code) 

goto badcode; 
COde = PRC_PARAMPROB; 

goto deliver; 



45 



case ICMP_SOURCEQUENCH : 
if (code) 

goto badcode; 

COde = PRC_QUENCH; 

deliver : 

/* 

* Problem with datagram; advise higher level routines. 

if' (icmplen < lCMP_AnvL,ENMIN || icmplen < ICMP_ADVLEN < icp) || 
icp->icmp_ip. ip_hl < ( sizeof ( struct ip) » 2)) { 
icmpstat. icps_badlen++; 
so goto freeit; 

NTOHS (icp->icmp_ip. ip_len) ; 
#ifdef ICMPPRINTFS 

if ( icmpprintf s) , 
printf ( "deliver to protocol %d\n", icp->icmp_ip . ip_p) ; 

55 #endif . * * 

icmpsrc . sin_addr = icp->icmp_ip . ip_dst ; 
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badcode : 



if (ctlfunc = inetsw[ip_protox[icp->icmp_ip. ip_J>] ) .pr.ctlmput] 
( *ctlfunc> (code, (struct sockaddr *)&icmpsrc, 
(caddr_t) & icp->icmp_ip) ; 

break; 

icmpstat. icps_badcode++ ; 
break; 



10 case ICMP_ECHO: 

icp->icmp_type = ICMP_ECH0REPLY; 
goto reflect; 

case ICMP_TSTAMP: 

if (icmplen < ICMP_TSLEN) { 
1S icmpstat. icps_badlen++; 

break; 

icp->icirp_type = ICMP_TSTAMPREPLY; 
icp->icmp rtime = iptimeO; 

icp->icmp_ttime = icp->icmp_j:time; /* bogus, do later! V 

20 goto reflect; 

case ICMP_IREQ: 
#define satosin(sa) ((struct sockaddr_m *)(sa)J 

if (in_netof <ip->ip_src) == 0 && 

(ia = ifptoia(m->m_pkthdr.rcvif ) ) ) 

ip->ip_src = in_makeaddr(in_netof (IA_SIN(ia) ->sm_addr) 
25 in_lnaof (ip->ip_src) ) ; 

iCp->icmp_type = ICMP_I REQRE PLY ; 
goto reflect; 

case ICMP_MASKREQ : 

if (icmplen < ICMP_masklen || 
oo (ia = ifptoia(m->m_pkthdr.rcvif ) ) == 0) 

break; 

icp->icmp_type = TCMP_MASKREPLY ; 

icp->icmp_mask = ia->ia_sockmask . sin_addr . s_addr ; 
if (ip->ip_src. s_addr == 0) { 

if (ia->ia_ifp->if_flags & IFF_BROADCAST) 
~c iD->iP src = satosinUia->ia_broadaddr) ->sin_addr; 

else if <ia->ia_ifp->if_flags & I FF_PO INTO POINT) 

ip->ip_src = satosin(&ia->ia_dstaddr ) ->sin_addr ; 

) 

ip->ip-len += hlen; /* since ip_input deducts this */ 

icmpstat. icps_ref lect++ ; 

icmpstat . icps_outhist [ icp->icmp_type J + ^; 
icmp_ref lect (m) ; 
return; 

/* Hung Vu Oct 28, 1994 */ 
# if nde f milxyvjay_BH 

case { . cmplen < i CM P_ADVL ENM IN || icmplen < ICMP_ADVLEN ( icp) ) { 

icmpstat . icps_badlen++ ; 
break ; 

) 

/ * 

so * Short circuit routing redirects to force 

* immediate change in the kernel's routing 

* tables. The message is also handed to anyone 

* listening on a raw socket (e.g. the routing 

* daemon for use in updating its tables) . 
V 

55 icmpgv. sin_addr = ip->ip_src; 



reflect : 

40 
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. icmpdst . sin_addr = icp->icmp_gwaddr ; 
#ifdef ICMPPRINTFS 

if ( icmpprintf s) 

s printf ( "redirect dst %x to %x\n", icp- > icmp_ip . ip_dst, 

icp->icmp_gwaddr) ; 

#en<3lf if (code == ICMP_REDIRECT_NET || code == I CM P__R ED I RECT_TOS N ET ) { 

u_long in_netof(); 
icmpsrc . s in_addr = 

in_makeaddr (in_netof ( icp->icmp_ip . ip_dst) , INADDR_ANY) ; 
in_sockmasko£ ( icp-> icmp_ip . ip_dst , fcicrtipmask) ; 
rtredirect ( (struct sockaddr *)&icmpsrc, 
(struct sockaddr M&icmpdst, 
(struct sockaddr * ) iicmpmask, RTF_GATEWAY, 
(struct sockaddr *)&icmpgw, (struct rtentry **)0); 
icmpsrc . sin_addr = icp->icmp_ip. ip_dst ; 
15 p f c 1 1 inpu t ( PRC_REDI RECT_NET , 

(struct sockaddr *)&icmpsrc); 

) else { 

icmpsrc . sin_addr = icp->icmp_ip. ip_ast ; 
rtredirect (( struct sockaddr *)&icmpsrc, 

(struct sockaddr *)&icmpdst, 
20 (struct sockaddr *)0, RTF_GATEWAY | RTF_HOST, 

(struct sockaddr *)&icmpgw, (struct rtentry **)0); 
pfctl input ( PRQ_REDIRECT_HOST, 

(struct sockaddr *)&icmpsrc); 

) 

break; 

25 #endif 

/* 

* No kernel processing for the following; 

* just fall through to send to raw listener. 
*/ 

case ICMP_ECHOREPLY: 
case ICMP_TSTAMPREPLY: 
case ICMP_IREQREPLY: 
case ICMP_MASKREPLY : 
default: 

break; 

> 

raw: 

icmpsrc. sin_addr = ip->ip_src; 
icmpdst. sin_addr = ip->ip_dst; 

(void) raw_input(m, fcicmproto, (struct sockaddr * ) &icmpsrc , 

(struct sockaddr *)&icmpdst); 
return; 



30 



f reeit 
) 

45 / 



m_f reem(m) ; 



Reflect the ip packet back to the source 

icmp_ref lect (m) 

struct mbuf *m; 



{ 
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register struct ip *ip = mtod(m, struct ip *); 
register struct in_ifaddr *ia; 
struct in_addr t; 

struct mbuf *opts = 0, * ip_srcroute O ; 

int optlen = <ip->ip_hl << 2) - s izeof < struct ip) ; 

t = ip->ip_dst; 
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ip.->ip_4st = ip->ip_src; 
/ * 

* If the incoming packet was addressed directly to us, 

* use dst as the src for the reply. Otherwise (broadcast 

* or anonymous) . use the address which corresponds 

* to the incoming interface. 

for (ia = in_ifaddr; ia; ia = ia->ia_next ) { 

if (t.s_addr == IA_SIN< ia) ->sin_addr . s_addr ) 
break; 

if ( (ia->ia_ifp->if_flags & iff_broadcast) t& 

t.s_addr == satos in (&ia->ia_broadaddr ) ->s in_addr . s_addr ) 
break; 

if (ia == (struct in_ifaddr *)0) 

ia = ifptoia (m->m_pkthdr . rcvif ) ; 
if (ia == (struct in_ifaddr MO) 

ia - in_ifaddr; 
t = IA_SIN(ia) ->sin_addr; 
ip->ip_src = t; 
ip->ip_ttl = MAXTTL; 



20 



if (optlen > 0) { 

register u_char *cp; 
int opt, cnt; 
u_int len? 

/ * 

25 * Retrieve any source routing from the incoming packet; 

* add on any record-route or timestamp options. 
V 

cp = <u_char *) (ip + 1); 

if ((opts = ip_srcroute () ) == 0 && 

(opts = m_gethdr(M_DONTWAIT, MT^HEADER) ) ) { 
opts->m_len = sizeof ( struct in_addr) ; 
3 mtodfopts, struct in_addr *)->s_addr = 0; 

) 

if (opts) { 
#ifdef ICMPPRINTFS 

if (icmpprintfs) 

printf ( M icmp_reflect optlen %d rt %d => 
35 " optlen, opts->m_len) ; 

#endlf for (cnt = optlen; cnt > 0; cnt -= len, cp + = len) { 

opt = cp[IPOPT_OPTVAL] ; 
if (opt == IPOPT_EOL> 
break; 

40 if (opt == IP0PT_N0P) 

len = 1; 

else { 

len = cp(IPOPT_OLEN] ; 
if (len <= 0 || len > cnt) 
break; 

) 

/* . ^ 

* should check for overflow, but it -can't happen 

*/ 

if (Opt == IPOPT_RR | | opt == IPOPT_TS) { 
bcopy < (caddr__t)cp, 

mtod(opts, caddr_t) + opts->n_len, len) ; 
opts->m_len += len; 
) 

if (opts->m_len % 4 •= C) { 

Mmtod(opts, caddr_t) + opts->m_len) = IP0PT_E0L; 
opts->m_len++ ; 

55 



45 



50 
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) 

#ifdef ICMPPRINTFS 

if ( icmpprintf s) 

print f ( M %d\n" , opts->m_len) ; 

#endif 

) 

* Now strip out original options by copying rest of first 

* mbuf's data back, and adjust the IP length. 
V 

ip->ip_len - = optlen; 
ip->ip_hl = sizeof (struct ip) >> 2; 
m->m_len -= optlen; 
if (m->m_f lags & M^PKTHDR) 

m->m_pkthdr . len - = optlen; 
optlen + = sizeof (struct ip) ; 
f5 bcopy ( (caddr_t) ip + optlen, (caddr_t)(ip +1), 

(unsigned) (m->m_len - sizeof (struct ip) ) ) ; 

m->m_flags &= ~ (M_BCAST | M_MCAST) ; 
icmp_send(m, opts) ; 
if (opts) 

20 (void) m_free( opts) ; 

) 

struct in_ifaddr * 
ifptoia (ifp) 

struct ifnet *ifp; 



25 i 
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register struct in_ifaddr *ia; 

for (ia = in_ifaddr; ia; ia = ia->ia_next) 
if (ia->ia_ifp == ifp) 
return (ia) ; 
return ((struct in_ifaddr *)0); 



* Send an icmp packet back to the ip level, 

* after supplying a checksum. 
V 

35 icmp_send (m, opts) 

register struct mbuf *m; 
struct mbuf *opts; 

register struct ip *ip = mtod(m, struct ip *); 
register int hlen; 
register struct icmp *icp; 



hlen = ip->ip_hl << 2; 
m->m_data •*-= hlen; 
m->m_len -= hlen; 
icp = mtod(m, struct icmp *); 
icp->icmp_cksum =0; 
45 icp->icmp_cksum = in_cksum(m, ip->ip_len - hlen) ; 

m->m_data -= hlen; 
m->m_len += hlen; 
#ifdef ICMPPRINTFS 

if Ucmp P^^^!, icmp _ seild dst %x src % x \n M , ip->ip_dst, ip->ip_src); 

so # end if 

(void) ip_output(m, opts, (struct route *)0, 0) ,- 

> 



n_t ime 
iptime ( ) 
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struct timeval atv; 
u_long t; 

icrotime (&atv) ; _ , , nnr \. 

t = (atv.tv.sec % (24 *60*60)) * 1000 + atv.cv_.usec / 1000, 

return (htonl(t)); 



APPENDIX B 



MODIFICATIONS TO PROXY FTP AND PROXY TELNET SOURCE CODE 



BNSOOCIO. <£P 0713311A1JJ- 



46 




EP 0 713 311 A1 



w 



jupiter-l/milkyway/devel/hungvu/milkyway/proxies/ftp) 75 >diff proxy-fcp.c /home 
/hoctub/hungvu/archive/ f wtk/ f tp-gw/ f tp-gw . c 
lcl 7 

< /* Copyright (c) 1993, Trusted Information Systems, incorporated 

> /*- 

> * Copyright (c) 1993, Trusted Information Systems, incorporated 
11, 17C12, 13 

< /* 

< * Copyright (c) 1994 , MilJcyway Networks Corporation 

< * All rights reserved. 

< V 

< / * 

< * Modified by Hung Vu March 26, 1994 to support real proxy ftp 



75 



20 



25 



30 
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> static 
Exp $"; 

> 

26a23,24 

> # include 

> # include 
31, 35d28 

< # include 

< # include 

< # include 

< ^include 

< ft include 
47c40 

< tfdefine 

> #define 
74d66 

< static 
99, 101d90 

< static int 

< static int 

< static 
109d97 

< #define 
117,120dl04 



char 



RcsIdU 



'$Header; ftp-gw.c,v 1.8 94/02/11 11:04:34 mjr 



<arpa/f tp . h> 
<arpa/telnet . h> 

<arpa/f tp.h> 
<arpa/ telnet. h> 
<arpa/inet . h> 
<sys/f ile.h> 
<net/if .h> 

VERSION "l.0 M 

VERSION "1.3" 

int 

cmd_enable ( ) ; 
cmd_disable ( ) ; 
void get_enablename ( ) 



authneeded - 1; 



OP DISABLED 



0100 



/* Has been disable */ 



< 


" en ■ , 


OP_AUTH, 


cmd. 


< 


"enable " , 


OP AUTH, 


cmd. 


< 


"dis" , 


OP AUTH, 


cmd. 


< 


"disable" , 


OP_AUTH, 


cmd. 


127dll0 






0, 


< 


"xcwd" , 


OP_CONN, 


129dlll 






0, 


< 


"xpwd" , 


OP_CONN , 


134dll5 






0, 


< 


"xcup" , 


OP_CONN, 


143dl23 








< 


-xrmd" , 


OP_CONN, 


0 , 


145dl24 






0, 


< 


•xmkd" , 


OP_CONN, 


147dl25 






0, 


< 


"xpwd" , 


OP_CONN, 


167dl44 








< 


"xrmd " , 


OP_CONN, 


0, 


169dl45 








< 


" xmkd " , 


OP_CONN, 


0, 



178, 182dl53 

< static struct 

< static char 

< static int 
< 



sockaddr_in f inal__sockaddr ; 

f inal_address[128) ; 

final_len = sizeof ( f inal_sockaddr ) ; 
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< 

197dl67 . 

< char *ptr; 
200,2l7cl70 

s < enlog ( "proxy- ftp" , LOG_PlD) ; 

< #else 

< openlog Cproxy-ftp*,LOG_PlD| LOG _NDELAY,LFAC) ; 

< #endif 
< 

< /* Hungvu March 26, 1994 */ 

< /* First get socket name */ 

w < getsockname(G, (struct sockaddr * ; &f inal_sockaddr ( & f ina l_len) ; 

< ptr = inet_ntoa (f inal_sockaddr . sin_acdr ) ; 

< strcpy (&f inal_address [0) ,ptr) ; 



15 



< /* 

< syslogfLLEV, "final address is %s or %s " , ptr , f inal_address) ; 

< */ 
< 

< if (pirate_check{ ) ) { 

< #ifdef BSDI 

< syslog (LLEV, ■•*** Wrong License info %lx and %lx", getetheraddr ( 
0 ) , getetheraddr ( 1 ) ) ; 

20 > openlog ( H f tp-gw M , LOG_PID) ; 

219,220cl72 

< syslog(LLEV, Wrong License info for HOSTID = %x M ,gethosti 
d( 

< ) J ; 

> openlog <" f tp-gw M , LOG_PID | LOG_NDELAY , LFAC) ; 

25 222,223dl73 

< exit ( 1) ; 

< ) 
227cl77 

< ifUconfp = cfg_read< "proxy- ftp") ) == (Cfg *)-!) 



30 



40 



> if((confp = cfg_read{ "ftp-gw M ) ) == (Cfg *)-!} 
295d244 

< /* 
306d254 

< */ 

308, 316d255 

< if (chdir ( ENABLE_D I RECTORY) ) { 

35 < sysloglLLEV, "chdir %S: %m'* , EN ABLE_D I RECTORY) ; 

< exit(l); 

< } 

< if (chroot ( EN ABLE_DI RECTORY) ) ( 

< syslogiLLEV, "chroot %S : %m", ENABLE_DI RECTORY ) ; 

< exit ( 1) ; 

< ) 

< chdir { "/-); 
375c314 

< sprintf (xuf , "220 %s proxy-FTP (Version %s) ready . " ,huf ,V 
ERSION) ; 

> sprintf (xuf , "220 %s FTP proxy (Version %s) ready . huf , V 
45 ERSION) ; 

401 , 404d339 

< #ifdef MICRO_BH 

< if <exceed_number (1) ) goto off now; 

< change_number (1 , 1 ) ; 

< #endif 

- n 422,425d356 

< ftifdef MICRO_BH 

< change_number ( - 1 , 1 ) ; 
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< goto of f now; 

< #endif • 
432,433c363,364 

< if(rfd != -1 && FD_ISSET(rfd. &rdy) ) 

if (peer reply ( ) ) 

> if <FD_ISSET(0,&rdy) ) 

> if (usercmd( ) ) 
437,4380368,369 

< if {FD_ISSET(0, trdy) ) 

< if (usercmd( } ) 

>" if{rfd != -1 && FD_ISSET(rfd,&rdy) ) 

> if (peerreply< ) ) 
456,459d386 

< #ifdef MICR0_BH 

< change_number (-1,1); 

< offnow: 

< tfendif 
487,5l6d413 

< /* 

< Hung Vu April 16, 1994 

< get: enable_name 

< */ 

20 < static void 

< gec_enablename ( enable_name) 

< char * enable _name; 
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< < 
< 

< 

< ) 



strcpy (enable_name,ENABLE_DlRECTORYCR) ; 
strcat (enable_name,riaddrl ; 



static int 

cmd_enable(ac ( av ( cbuf ) 
int ac; 
char *av[ ] ; 
char *cbuf; 



{ 



int fd; 

char enable_name (512 ) , 



< 

< get_enablename(enable_name) ; 

< if ( (fd = open (enable_name , 0_CRE AT , 0 660 ) ) === -1 ) return(l) 
35 < close ( fd) ; 

< say ( 0 , "Transparent mode enabled"); 

< syslog(LLEV, -Transparent mode enabled for host %s", riaddr) 

< return (0) ; 



< ) 
< 

518.532d414 

< static int 

< cmd_disable(ac,av,cbuf ) 

< int ac; 

< char *av [ ] ; 

< char *cbuf; 



{ 



int fd; 

char enable_narr.e [512] ; 



< 

< get_enablename (enable_name) ; 

< unl ink ( enable_name) ; 

< say ( 0 t "Transparent mode disable"); 

< syslog(LLEV, "Transparent disable for host %s" , riaddr); 
50 < return(O) ; 



< } 
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538, 540d419 

< , int fd; 

< char enable_name [512 ] ,- 

< -har buf[2); 
556,569 A 

< 

< /* Check for transparent: mode enabled. Hung Vu April 16, 1994 */ 

< get_enablename ( enable_narr.e) ; 

< if { <fd = open (enable_narr.e, O_RDONLY,0)) != -1) 

< authenticated =1; / * authenticated aire 



read(fd,buf , 1) ; 
< close (fd); 



ady 
< 
< 

< } else { 

FtpOp *cp; 

< for (op = ops; op -> name != (char *)0; op+ 
+ > 

< i£((op->flg & OP_AOK) == 0) 

< op->flg |= OP_AO*TH I CP_ 



< 



DISABLED; 

< authal 1 f lg++ ; 

< ) 
577d441 

20 < syslog(LL£V, "deny host=%s/%s use of gateway", rladdr . riaddr J ; 

666d529 
< 

682,692c545 

< if ( !strcmp(c->argv[x] , " -noauth" ) ) { 

< FtpOp *op; 
< 

2S < for (op = ops; op->name != (char *)0; op + + ) 

< if((op->flg & OP_AOK) == 0) 

< if (op->flc & OP_DISABLED) 

< op->flg !OP_AUTH; 

< authallflg = 0; 

< continue; 



< ) 
< 



708d560 



/* default turn on auth for ALL transactions 



748,750c600 
35 < /* Modified Hungvu Mar 26 1994 */ 

< static char noadf] = "501 Enter user user name or user username@s i te 
to connect via proxy"; 

< 

> static char noadf] = "501 Use user@site to connect via proxy"; 

755d604 

40 < struct sockaddr_in tsockaddr,- 

771,785cS20, 625 

< /* 

< It is all here for real proxy-tcp: 

< If user enter only username then used the 

< original destination address 

45 < V 

< if((p = rindex(av[l] , ) ) == (char *)0) ( 

< if (av(l] == (char *)0) return ( sayn ( 0 , noad , s izeof { noad ))) ; 

< else p s &f inal_address { 0 ] ; 

< ) 

< else { 

< *p = ' \C ' ; 

< p++; 

< if ( *p == ' \0' ) 
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) 

* f ( (P 

? + + ; 



&f inal_address [ 0 ] ; 



rindex(av[l] , '@ ' ) ) == (char *)0) 
recur n ( sayn {0 , noad, sizeof (noad) ) ) ; 



> if <*p == '\0' ) 

> p = "localhost" ; 

<°/ ^Modified by Hungvu May 28, 1994. Do not connect if connect back to self */ 

< tsockaddr.sin_addr.s_addr = ine:_addr (p) ; 

< if ( checkmyaddr Utsockaddr) == 0 ) { 



< 
< 
< 
< 

829d661 

< /* 
832d663 

< */ 
883c714 
< 

r) ; 



sprintf (t>uf , M Already connected to %s B /p); 

return(say (0,buf ) ) ; 



1161C992 
< 



sprintf (lbuf , "authorize %s ' proxy-ftp %s/%s "\ av ( 1 ) , rladdr , riadd 

sprintf (lbuf, -authorize %s -ftp-gw %s/%s 1 " . av[ll , rladdr , riaddr) ; 
kbuf(2] = IAC; 



> kbuffl] = IAC; 

1182, 1184dl012 

< #ifdef MICROJM 

< cha nge_n umber ( -1 , 1) ; 

< #endif 
1655aI484 ( 1485 
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jupiter- I /home/hottub/hungvu/archive/fwtk/tn-gw] 70 >dif£ proxy- telnet . c /home/h 

ottub/hungvW archive / f wtk/ tn-gw/ tn-gw . c 

7-a8 

> 

11, I7cl 

< /* 

< * Copyright (c) 1994, Milkyway Networks Corporation 

< ♦ All rights reserved. 

< */ 

< / * 

< * Modified by Hung Vu March 26, 1994 to support real proxy telnet 

< */ 



> static 
Exp 

35, 36d29 

< # include 

< # include 
51c44 

< #define 

> #define 
57c50 

< static 

> static 
84, 87d76 

< static 

< static 

< static 



char Res Id [] = "$Header: tn-gw. c,v 1.6 94/02/11 11:04:41 m j r 



<net/if .h> 
<sys/f ile .h> 

VERSION "V1.0- 
VERSION "VI. 3" 
int 



int 

int 
int 
void 



authneeded = 1 ; 
aut hneeded = 0 ; 



cmd_enable<) ; 
cmd_di sable ( ) ; 
get_enablename ( ) ; 



enable tranparent mode", 
disable tranparent mode' 



cmd_enable , 
cmd_di sable , 



Wrong License info for HOSTID = %x H ,gethosti 



95, 96d83 

< -enable", 

< "disable" , 
124 , 130clll 

< openlog( "proxy- telnet " , LOG_PID) ; 

< # el se 

< openlog ( "proxy- telnet " , LOG_PID | LOG_NDELAY , LFAC ) ; 

< # end if 

< if <pirate_check< ) ) { 

< #ifdef syslog(LLEV, "*** Wrong License info %lx and %lx", get etheraddr ( 
0) , getetheraddr ( 1) ); 

> openlog ( " tn-gw" , L0G_PID) ; 
132cll3 

< syslog(LLEV, 
d ( ) ) ; 

> openlog ( " tn-gw" , LOG_PID | LOG_NDELAY . LFAC ) ; 
134 r 135dll4 

< exit ( 1) ; 

< ) 

140C119 £ x , t 

< if((confp = cfg_read( "proxy- telnet" ) } == (Cfg *)-l) 

> if((confp = cfg_read< "tn-gw" ) ) (Cfg *)-l) 
192dl70 

< /* 
203dl80 

< */ 

205.213dl81 

< if (Chdir < ENABLE_DI RECTORY) ) { 

< syslog(LLEV, "Chdir %S: %m" , ENABLE_DI RECTORY) ; 

< exit < 1) ; 

< } 
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< if (chroot (ENABLE^DI RECTORY) ) { 

< syslog(LLEV, "chroot %S: %m'\ ENABLE_D1RECT0RY) ; 

< . exit (1) ; 

< ) 

< chdir <"/"); 
265c233 

< prompt = "proxy- telnet-> H ; 
> prompt = M tn-gw-> # 

286c254 sprintf (xuf , "%s proxy-telnet (Version %s) ready : * , huf . VERSION) 



> sprintf (xuf . "%s telnet proxy (Version %s) ready hut , VERSION) ; 
297,30001264 

< /* Modified HuncVu Mar 27, 1994 

< to support real proxy-telnet 

< v 

< if (notmyaddr < ) ) goto main_loop; 
75 306c270 

< goto leave2 ; 

> goto leave; 
309.3l3d272 

< main_loop: 

< #ifdef MICRO_BH 

< if (exceed_number (1) ) goto leave2 ; 

< change_number (1,1); 

< # endi f 
319a279 

> 

322, 325d281 
2S < #ifdef MICR0_BH 

< chang e_number ( -1 , 1 ) ; 

< goto leave2; 

< #endif 
383,386d338 

< #i£def MICR0_BH 

< change_number (-1,1) ; 

< #endif 

< leave2 : 
508 , 550d459 

< static void 

< get_enablename(enable_name) 

< char *enable__name,- 

35 < { 

< strcpy ( enabl e_name , ENABLE_DI RECTOR YCR ) ; 

< strcat (enable_name, riaddr ) ; 

< ) 
< 

< 

< static int 

40 < cmd.enab 1 e ( ac , a v , cbu f ) 

< int ac; 

< char *av [ ] ; 

< char *cbuf; 

< { 

< int fd; 

< char enable_name( 512 ) ; 



< 



get_enablename (enable_name) ; 

< if ( (fd = open (enable_name,0_CREAT, 0 660} ) == -1 ) return(l); 

< c lose ( fd) ; 

< say (0 , "Transparent mode enabled"), - 

< syslog(LLEV, "Transparent enabled for host %s", riaddr); 
50 < return(O) ; 

< ) 
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< static . int 

< cmd_disable(ac, av, cbuf ) 
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< int 

< char 

< char 

< ( 



< 
< 
< 
< 
< 
< 
< 

< > 



ac; 

*av[] ; 
*cbuf ; 

int 
char 



fd; 

enable_name[ 512 ] ; 



get_enablename (enable_name) ; 
unlink (enable__name) ; 

say ( 0 , "Transparent mode disable"); 

syslog(LLEV, "Transparent disable for host %s", riaddr); 
return (0) ; 



enable_name [512] ; 
fd; 

buf [2] ; 



555, 557d463 

< char 

< int 

< char 
571,577d476 
< 
< 
< 
( 
< 
< 
< 
< 

584d482 m _ . 

< syslog(LLEV, "deny host=%s/%s use of gateway" , riaddr , riaddr ) ; 

625d522 

< /* 

627 , 631d523 

< */ 

< continue; 

< if ( !strccnp(c->argv{x] , "-noauth") ) { 

< authneeded = 0; 



get_enablename{enable_name) ; 

if ( <fd = open(enable_name, 0_RDONLY , 0) ) »= -1) 

read (fd, buf , 1) ; 
authneeded = 0; 
close (fd) ; 
> else authneeded = 1; 



669a562 
> 

1045C938 
< 

ddr , riaddr) 



sprintf (cbuf , "authorize %s ' proxy- telnet %s/%s ' M , buf . r la 
sprintf (cbuf , "authorize %s ■ tn-gw %s/%s '", buf . riaddr , ria 



ddr ) ; 

1381, 1385C1274, 1276 

< / * 

< Check if the address of the socket is not my address. 

< If not call cmd.connect to connect immediately to the far end 

< */ 

< notmyaddrO 
> 

> #ifdef BINDDEBUG 

> debugbindO 
1387, 1398cl278, 1280 

< struct sockaddr_in 

< char 

< char 

< char 

< int 
< 



f inal_sockaddr ; 

f inal_address [ 128} ; 
f inal_port [ 16 ] ; 
*av[3]; 

f inal_len=sizeof ( f inal.sockaddr ) ; 
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getsockname(0 ( (struct sockaddr • J & f inal_scckaddr , & final_len> ; 
itoa(ntchs ( f inal_sockaddr . s in_port ) , f inal_port) ; 

. j- ■ -i a_a j l. _ ._ / c i ^. -. ^ ^./s^tarlH r cin annri ); 



< s-trcpy ( f inal_address , inet_ntoa ( f inal_sockaddr . sin_addr j 
5 < gv (0] = <char *) (0) ; 

< (1) = f inal_address ; 

< av[2] = final_port; 

> struct sockaddr_in nrya ; 

> int x; 

w > int nread; 

1400, 1401cl282,1291 

< #ifdef ^EBUG^^ Kfinal address is %s port is %s«, f ina l_address . f inal_por t 

) ; 

> if<(X = socket (AF_INET, SOCK_STREAM, 0> ) < 0) ( 

> perror ( "socket ") ; 

> exit < 1 ) ; 

> } 

> mya.sin_family = AF_INET; 

> bzero (&mya . sin.addr, sizeof (mya. sin_addr ) ) ; 

> #ifndef B INDDEBUG PORT 

20 > mya.sin_port = htons (TOPORT) ; 

> #else 

> mya.sin_port = htons ( BINDDEBUGPORT) ; 
1403, 1408C1293, 1308 

< if (checkmyaddr (&final_sockaddr) == 0) return (0); 

25 < f 

< /* Not my address, do connection to the far end */ 

< cmd.connect (3 , av, (char *)(0)); 

< return (1) ; 

> if (bind <x, (struct sockaddr *) &mya , sizeof (mya )) ) { 

> perror ( "bind" ) ; 
30 > exi t ( 1 ) ; 

> > 

> if Uisten(x, 1) < 0) { 

> perror {" listen" ) ; 

> exit (1) ; 

35 > if ((nread = accept (x . 0 , 0) ) < 0) { 

> perror ( -accept* ) ; 

> exit ( 1) ; 

> > 

> c lose (0 ) ; 

> dup (nread) ; 
40 > close (1) ; 

> dup (nread) ; 
1409al310 

> #endif 



Claims 

1. A method of providing a secure gateway between a private network and a potentially hostile network, comprising 
so the steps of: 

a) accepting from either network all communications packets that are encapsulated with a hardware destination 
address which matches the device address of the gateway; 

b) determining whether there is a process bound to a destination port number of an accepted communications 
55 packet; 

c) establishing a first communications session with a source address/source port of the accepted communi- 
cations packet if there is a process bound to the destination port number, else dropping the packet; 

d) establishing a second communications session with a destination address/destination port of the accepted 
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communications packet if a first communications session is established; and 

e) transparently moving data associated with each subsequent communications packet between the respective 
first and second communications sessions, whereby the first session communicates with the source and the 
second session communicates with the destination using the data moved between the first and second ses- 
s sions. 

2. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 1 wherein the step of determining involves checking to determine if a process is bound to the destination 
port number, and passing the packet to a generic process if a process is not bound to the destination port number, 

10 the generic process acting to establish the first and second communications sessions and to move the data between 

the first and second communications sessions. 

3. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 1 wherein the method further involves the steps of: 

15 

a) checking a rule base to determine if the source address requires authentication; and 

b) authenticating the source by requesting a user identification and a password and referencing a database 
to determine if the user identification and password are valid. 

20 4. a method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 1 wherein the method further involves the steps of: 

a) referencing a rule base after the first communications session is established to determine whether the 
source address is permitted to access to the destination address for a requested type of service: and 
25 b) cancelling the first communications session if the rule base does not include a rule to permit the source 

address to access the destination address for the requested type of service. 

5. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 3, wherein the method further involves the steps of: 

30 

a) creating a user authentication file which contains the source address of the authenticated user in a user 
authentication directory: and 

b) referring to the authentication file to determine if a source address has been authenticated each time a new 
communications session is initiated so that the gateway is completely transparent to an authenticated source. 

35 

6. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 5 wherein the user authentication file includes a creation time variable which is set to a system time value 
when the user is authenticated. 

•to 7. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 6 wherein the method further involves the steps of: 

a) updating a modification time variable of the authentication file each time the user initiates a new communi- 
cations session through the gateway station. 

A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 7 wherein the method further involves the steps of: 

a) periodically checking each user authentication file to determine whether one of a first difference between 
50 the authentication time variable and the system time and a second difference between the modification time 

variable and the system time has exceeded a predefined threshold: and 

b) deleting the user file from the user authentication directory if the threshold has been exceeded by each of 
the first and second differences. 

55 9. a method for providing a secure gateway between a private network and potentially hostile network as claimed in 
claim 1 wherein the method further involves the steps of: 

a) performing a data sensitivity check on the data associated with each packet as a step in the process of 
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moving the data between the respective first and second communications sessions. 

10. A method of providing a secure gateway between a private network and a potentially hostile network, comprising 
the steps of: 

5 

a) accepting from either network all TCP/IP packets that are encapsulated with a hardware destination address 
which matches the device address of the gateway; 

b) determining whether there is a proxy process bound to a port for serving a destination port number of an 
accepted TCP/IP packet: 

W c) establishing a first communications session with a source address/source port number of the accepted 

TCP/I P packet if there is proxy process bound to the port for serving the destination port number, else dropping 
the packet: 

d) determining if the source address/source port number of the accepted packet is permitted to communicate 
with a destination address/destination port number of the accepted packet by referencing a rule base, and 
75 dropping the packet if a permission rule cannot be located: 

d) establishing a second communications session with the destination address/destination port number of the 
accepted TCP/I P packet if a first communications session is established and the permission rule is located: and 

e) transparently moving data associated with each subsequent TCP/IP packet between the respective first 
and second communications sessions, whereby the first session communicates with the source and the second 

20 session communicates with the destination using the data moved between the first and second sessions. 

11. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 10 wherein the step of determining involves checking a table to determine if a custom proxy process is 
bound to the destination port number, and passing the packet to a generic proxy process if a custom proxy process 

25 is not bound to the destination port number the generic proxy process being executed to establish the first and 

second communications sessions and to move the data between the first and second communications sessions. 

12. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 10 wherein the method further involves the steps of: 

a) checking a rule base to determine if the source requires authentication; 

b) checking an authentication directory to determine if an authentication file exists for the source in an instance 
where the source requires authentication: and 

c) if the source requires authentication and an authentication file for the source cannot be located, authenti- 
cating the source by requesting a user identification and a password and referencing a user identification 
database to determine if the user identification and password are valid. 

13. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 10 wherein the method further involves the steps of: 

a) referencing a rule base after the first communications session is established to determine whether a user 
identification/password at the source address is permitted to communicate with the destination address for a 
requested service; and 

b) cancelling the first communications session if the rule base does not include a rule to permit the user iden- 
tification/password at the source address to communicate with the destination address for the requested type 
of service. 

14. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 12, wherein the method further involves the steps of: 

50 

a) creating a user authentication file which contains the source address of the authenticated user in a user 
authentication directory: and 

b) referring to the authentication file to determine if a source address has been authenticated each time a new 
communications session is initiated so that the gateway is completely transparent to an authenticated source 

55 having an authentication file in the authentication directory. 

15. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 14 wherein a file creation time variable which is automatically set by an operating system of the gateway 
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station to a system time value when a Tile is created, is used to monitor a time when the user is authenticated. 

16. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 14 wherein the method further involves the steps of: 

5 

a) rewriting the user authentication file each time the user initiates a new communications session through 
the gateway station so that a modification time variable in the authentication file is automatically updated by 
the operating system of the secure gateway. 

10 17. A method of providing a secure gateway between a private network and a potentially hostile network as claimed 
in claim 16 wherein the method further involves the steps of: 

a) periodically checking each user authentication file to determine whether one of a first difference between 
the authentication time variable and the system time and a second difference between the modification time 

15 variable and the system time has exceeded a predefined threshold; and 

b) deleting the user file from the user authentication directory if the threshold has been exceeded by both of 
the first and second differences. 

18. A method for providing a secure gateway between a private network and potentially hostile network as claimed in 
20 claim 10 wherein the method further involves the steps of: 

a) performing a data sensitivity check on the data portion of each packet as a step in the process of moving 
the data between the respective first and second communications sessions, whereby the TCP/IP packet is 
passed by a modified kernel of an operating system of the secure gateway to the proxy process which extracts 
25 the data from the packet and passes the data from a one of the first and second communications sessions to 

a proxy process which operates at an application layer of the gateway station and the proxy process executes 
data screening algorithms to screen the data for elements that could represent a potential security breach 
before the data is passed to the other of the first and second communications sessions. 

oo 19. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network, comprising in combination: 

a gateway station adapted for connection to a telecommunications connection with each of the private network 
and the potentially hostile network; 

an operating system executable by the gateway station, a kernel of the operating system having been modified 
so that the operating system: 

a) cannot forward any communications packet from the private network to the potentially hostile network 
or from the potentially hostile network to the private network; and 

b) will accept for processing any communications packet from either of the private network and the poten- 
tially hostile network provided that the packet is encapsulated with a hardware destination address that 
matches the device address of the gateway station on the respective network; and 

at least one proxy process executable by the gateway station, the at least one proxy process being adapted 
to transparently initiate a first communications session with a source of an initial data packet accepted by the 
operating system and to transparently initiate a second communications session with a destination of the 
packet, and to transparently pass the data portion of packets received by the first communications session to 
the second communications session and to pass the data portion of packets received by the second commu- 
nications session to the first communications session, whereby the first session communicates with the source 
using data from the second session and the second session communicates with the destination using data 
received from the first session. 

20. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 19 wherein the operating system is a Unix operating system. 

55 

21. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 19 wherein the at least one proxy process includes modified public domain proxy 
processes for servicing Telnet, FTP, and UDP communications. 
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22. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 19 wherein the at least one proxy process is a generic proxy process capable of 
servicing any network service which may be communicated within TCP/IP protocol, on any one of the 64K TCP/IP 
communications ports. 

5 

23. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 22 wherein the kernel is modified so that it will pass to the generic proxy process any 
communications packet having a destination port number that indicates a port to which no custom proxy process 
is bound, if the generic proxy process is bound to a predefined communications port when the communications 

10 packet is received by the kernel. 

24. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 20 wherein the gateway station is a Unix station. 

is 25. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 19 wherein the apparatus further includes programs for providing a security adminis- 
trator with an interface to permit the security administrator to build a rule base for controlling communications 
through the gateway station. 

20 26. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 1 9 wherein the at least one proxy process includes domain proxy processes for serv- 
icing Gopher and TCP communications. 

27. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
25 network as claimed in claim 19 wherein the Gopher proxy process is enabled to authenticate users whenever a 

Gopher session is initiated and user authentication is required. 

28. Apparatus for providing a secure gateway for data exchanges between a private network and a potentially hostile 
network as claimed in claim 22 wherein the generic proxy process capable of servicing any network service which 

oo may be communicated within TCP/IP protocol on any one of the 64K TCP/IP communications ports is a TCP proxy 

process. 
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